07 Apr, 2023

Windows Remote Management (WinRM)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

WinRM stands for Windows Remote Management. It is a Microsoft technology that allows remote management of Windows computers through a secure connection. WinRM enables administrators to execute commands, run scripts, and access management information for local or remote machines. It uses the WS-Management protocol to facilitate communication between machines and can be configured for both HTTP and HTTPS transports. WinRM is an essential tool for managing large-scale Windows deployments, including servers and workstations.

WinRM common ports

For HTTP transport: Port 5985
For HTTPS transport: Port 5986

Standard commands from unauthorized users

Ping: This command is used to test network connectivity between two devices. It sends packets of data to a device and measures the response time. Unauthorized users may use this command to test for the presence of a system or to launch a denial of service (DoS) attack by flooding the system with packets.

Tracert: This command is used to trace the path that a packet takes from one device to another over a network. Unauthorized users may use this command to map out the network topology and identify potential vulnerabilities.

Netstat: This command is used to display active network connections, including open ports and listening services. Unauthorized users may use this command to identify potential entry points into a system.

Telnet: This command is used to establish a remote connection to a device over the internet. Unauthorized users may use this command to gain access to a system and execute commands remotely.

Tools for using protocol WinRM

Manual Tools:

  • PowerShell: is a command-line shell and scripting language that is used for system administration tasks. It includes cmdlets for managing WinRM connections and can be used to manually test WinRM connectivity.

  • Windows Remote Shell (WinRS): is a command-line tool that allows remote execution of commands on Windows machines. It uses WinRM for remote connectivity and can be used to manually test WinRM connections.

  • PuTTY: is a popular SSH and telnet client that can also be used for remote command execution. It can be configured to use WinRM for remote connections and can be used to manually test WinRM connectivity.

  • Telnet: is a command-line tool that can be used to establish a remote connection to a device over the internet. It can be used to manually test WinRM connectivity.

  • Microsoft Management Console (MMC): is a Windows management tool that can be used to create custom management consoles. It includes a WinRM snap-in that can be used to manually test WinRM connectivity.

Automated Tools:

  • WinRMTest: is a free tool that can be used to test WinRM connectivity. It allows users to specify a target machine and credentials, and then tests the connection using HTTP or HTTPS protocols.

  • WinRMChecker: is an open-source tool that can be used to check the status of WinRM on a remote machine. It can be used to test both HTTP and HTTPS connections and can also be used to troubleshoot WinRM connectivity issues.

  • PRTG Network Monitor: is a network monitoring tool that includes a WinRM sensor for monitoring and testing WinRM connections. It can be used to monitor WinRM performance and troubleshoot connectivity issues.

  • PowerShell Remoting Protocol (PSRP) Analyzer: is a PowerShell script that can be used to test WinRM connectivity and performance. It includes tests for authentication, encryption, and performance metrics.

  • WinRM-Test: is a PowerShell module that can be used to test WinRM connectivity and performance. It includes cmdlets for testing authentication, encryption, and performance metrics.

  • Microsoft System Center Operations Manager (SCOM): is a Windows server monitoring tool that includes a WinRM management pack for monitoring and testing WinRM connections. It can be used to monitor WinRM performance and troubleshoot connectivity issues.

  • Nagios: is an open-source network monitoring tool that includes a WinRM plugin for monitoring and testing WinRM connections. It can be used to monitor WinRM performance and troubleshoot connectivity issues.

  • Zabbix: is an open-source network monitoring tool that includes a WinRM agent for monitoring and testing WinRM connections. It can be used to monitor WinRM performance and troubleshoot connectivity issues.

  • SolarWinds Network Performance Monitor (NPM): is a network monitoring tool that includes a WinRM monitor for monitoring and testing WinRM connections. It can be used to monitor WinRM performance and troubleshoot connectivity issues.

  • Microsoft Remote Server Administration Tools (RSAT): is a set of Windows tools that can be used for remote server administration. It includes a WinRM snap-in that can be used to manually test WinRM connectivity.

Browser Plugins:

  • WinRM Client for Chrome: this is a Chrome extension that allows users to connect to remote Windows machines through WinRM. It can be used to execute commands and scripts remotely.

  • WinRM Client for Firefox: this is a Firefox extension that allows users to connect to remote Windows machines through WinRM. It can be used to execute commands and scripts remotely.

Last three known CVE for WinRM

• CVE-2021-27022 – A flaw was discovered in bolt-server and ace where running a task with sensitive parameters results in those sensitive parameters being logged when they should not be. This issue only affects SSH/WinRM nodes (inventory service nodes). 

• CVE-2018-11746 – In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.

• CVE-2007-1658 – Windows Mail in Microsoft Windows Vista might allow user-assisted remote attackers to execute certain programs via a link to a (1) local file or (2) UNC share pathname in which there is a directory with the same base name as an executable program at the same level, as demonstrated using C:/windows/system32/winrm (winrm.cmd) and migwiz (migwiz.exe).

Useful information

– WinRM is automatically installed with all currently-supported versions of the Windows operating system, and the service starts automatically on Windows Server 2008 and later.

– WinRM provides a command line interface that can be used to perform common management tasks, and also provides a scripting API so you can write your own Windows Scripting Host based scripts.

– WinRM relies on management data provided by WMI, but it makes the exchange of data much easier by utilizing the HTTP protocol.

– WinRM interacts with the Windows applications and operating systems in the device, and with remote servers and devices that use Windows, using the SOAP protocol.

Known banners

  • Microsoft WinRM client version 3.0

  • WinRM version 2.0

  • Windows Remote Management (WS-Management) service

  • Windows Remote Management Service (WinRM)

  • WinRM service version 1.1

  • Microsoft Windows Remote Management (WinRM) service version 2.2

Books for studies WinRM

Windows PowerShell 2.0 Administrator’s Pocket Consultant by William R. Stanek: This book covers various aspects of WinRM and PowerShell, including how to use WinRM to remotely manage Windows computers, how to configure WinRM, and how to troubleshoot WinRM issues.

Managing Windows Servers with Chef by John Ewart: This book covers how to use Chef, an open-source configuration management tool, to manage Windows servers, including how to use WinRM to remotely manage Windows computers.

Windows PowerShell Cookbook by Lee Holmes: This book covers various aspects of PowerShell, including how to use WinRM to remotely manage Windows computers, how to configure WinRM, and how to troubleshoot WinRM issues.

PowerShell and WMI by Richard Siddaway: This book covers how to use PowerShell and WMI (Windows Management Instrumentation) to manage Windows computers, including how to use WinRM to remotely manage Windows computers.

Windows Server 2016 Automation with PowerShell Cookbook by Thomas Lee: This book covers various aspects of PowerShell automation on Windows Server 2016, including how to use WinRM to remotely manage Windows computers.

List of Payload for WinRM

  • PowerShell commands: PowerShell is a powerful scripting language used for automation and management of Windows machines. WinRM can be used to execute PowerShell commands on a remote machine.

  • Batch files: Batch files are scripts that can be executed on Windows machines to automate tasks. WinRM can be used to run batch files remotely.

  • Windows Management Instrumentation (WMI) queries: WMI is a management technology used by Windows for querying and managing system information. WinRM can be used to execute WMI queries on a remote machine.

  • Remote Procedure Calls (RPCs): RPCs are a mechanism used by Windows for inter-process communication. WinRM can be used to execute RPCs remotely.

  • Command-line tools: WinRM can be used to execute various command-line tools such as ping, ipconfig, netstat, etc. on a remote machine.

Mitigation

  1. WinRM supports various authentication methods such as Kerberos, NTLM, and SSL/TLS. Use the strongest authentication method available to ensure that only authorized users can access the remote system.

  2. WinRM also supports encryption through SSL/TLS. Enabling encryption helps to protect sensitive data in transit by encrypting the data between the client and server.

  3. Limit the exposure of WinRM to the internet and only allow access from trusted networks or IP addresses.

  4. Enable auditing of WinRM events to detect and respond to any suspicious activity.

  5. Configure WinRM settings to limit the scope of remote management operations and only allow access to authorized users.

  6. Keep WinRM updated with the latest security patches and updates to ensure that any known security vulnerabilities are addressed.

  7. Create a dedicated account for WinRM that has the minimum necessary privileges to perform remote management operations.

Conclusion

WinRM is a powerful tool for remotely managing Windows systems that can greatly improve productivity and efficiency for system administrators. However, it is important to use WinRM responsibly and implement proper security measures to ensure that it is not misused or exploited for malicious purposes.

Other Services

Ready to secure?

Let's get in touch