309 words
2 minutes
Windows Remote Management Protocols
2025-04-20
Footprinting
Cyber

Key Components of Windows Remote Management#

1. RDP (Remote Desktop Protocol)#

  • Allows remote graphical access to Windows systems.
  • Uses TCP port 3389, and optionally UDP port 3389 for performance.
  • Encrypted using TLS/SSL since Windows Vista.
  • Requires firewall/NAT rules to be correctly set up for external access.
  • Can default to self-signed certificates, which makes MITM attacks possible unless a trusted CA is used.

Security note: NLA (Network Level Authentication) is required by default, adding a layer of authentication before the session is created.

2. WinRM (Windows Remote Management)#

  • Based on WS-Management protocol (Web Services for Management).
  • Allows command-line-based or script-based remote management.
  • Accessible via PowerShell, useful in automation and scripting.

3. WMI (Windows Management Instrumentation)#

  • Enables querying and managing system info across networks.
  • Frequently used in monitoring tools, scripts, and malware alike.

Footprinting RDP with Nmap#

nmap -sV -sC -p3389 --script rdp* 10.129.201.248

This command does the following:

  • sV: version detection
  • sC: run default scripts
  • -script rdp*: run all RDP-related NSE scripts
  • p3389: scan only port 3389

Scan Results Reveal:

  • NLA (CredSSP) is enabled (SUCCESS)
  • Host info like NetBIOS, DNS, Computer_Name, Product_Version (Windows 10.0.17763)
  • Time synchronization on target system

This helps identify if the system is vulnerable to RDP-related exploits or supports weak encryption methods.

Packet Analysis with -packet-trace#

nmap -sV -sC 10.129.201.248 -p3389 --packet-trace --disable-arp-ping -n

Used to trace packets and inspect the raw data sent/received during scanning.

Interesting Observations:

  • The scan uses mstshash=nmap cookie as part of the client handshake.
  • Tools like EDR (Endpoint Detection & Response) can spot this signature.
  • If the network is hardened, scanning using this default may trigger alerts or bans.

Tip for Red Teamers: Customize or obfuscate the default RDP client strings to avoid detection.

Summary of Findings from Nmap:#

FieldInfo
Port3389 open
ServiceMicrosoft Terminal Services
NLA EnabledYes (CredSSP: SUCCESS)
System InfoILF-SQL-01, Version: 10.0.17763
Security NoteLikely using self-signed TLS certificates
EDR Detection RiskHigh if default mstshash=nmap is used

If you’re doing a penetration test or hardening your own system, this information is super valuable. You can:

  • Verify that RDP is configured securely
  • Disable weak authentication/encryption
  • Avoid default scanning signatures
  • Validate whether systems are exposing too much info through default services
Windows Remote Management Protocols
https://fuwari.vercel.app/posts/windows-remote-management-protocols/
Author
Ranjung Yeshi Norbu
Published at
2025-04-20
Staff
SMB
© 2025 Ranjung Yeshi Norbu. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari