# WinRM (5985, 5986)

{% tabs %}
{% tab title="Windows Remote Management (WinRM)" %} <mark style="color:green;">`Windows Remote Management (WinRM)`</mark> is a command-line-based remote management protocol integrated into Windows, using SOAP for remote connections. Enabled explicitly from Windows 10 onwards, WinRM communicates via <mark style="color:green;">`TCP ports 5985 (HTTP)`</mark> and <mark style="color:green;">`5986 (HTTPS)`</mark>, replacing ports 80 and 443 for security. WinRM works with Windows Remote Shell (<mark style="color:green;">`WinRS`</mark>), allowing execution of commands on remote systems, and is available by default on Windows 7 and later.
{% endtab %}

{% tab title="Resources" %}

* [GitHub evil-winrm](https://github.com/Hackplayers/evil-winrm)
  {% endtab %}
  {% endtabs %}

## Footprinting

{% tabs %}
{% tab title="Commands" %}

* **Basic nmap Scanning**

```bash
> nmap -sV -sC TARGET_IP -p5985,5986 --disable-arp-ping -n
```

* **Install evil-winrm**

```bash
> sudo gem install evil-winrm
```

* **Login to WinRM server using evil-winrm**

```bash
> evil-winrm -i TARGET_IP -u <username> -p <password>
> evil-winrm -i TARGET_IP -u <username> -H "<passwordHash>"
```

{% endtab %}
{% endtabs %}