logo

Port 5985/5986 – WinRM (Windows Remote Management)

Service:

WinRM

Protocol:

TCP

Port:

5985 (HTTP), 5986 (HTTPS)

Used for:

Remote PowerShell & admin tasks

Why It’s Open

WinRM is the backbone of PowerShell remoting in modern Windows environments.

Common Risks

  • NTLM Relay Attacks
  • Credential Theft
  • Lateral Movement in AD

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Nmap check

Terminal window
nmap -p 5985,5986 -sV


nmap -p 5985 --script http-winrm-enum

WinRM enumeration

Terminal window
winrm enumerate http://:5985/wsman


evil-winrm -i  -u  -p


winrm get winrm/config

What to Look For

CheckpointWhat it means
No encryptionMajor data theft risk
Weak auth allowedMay be vulnerable to relay

Known Exploits

  1. CVE-2016-3115 WinRM in Microsoft Windows allows remote attackers to execute arbitrary code via a crafted request.

🔗 NVD Entry

  1. CVE-2015-0014 WinRM in Microsoft Windows allows remote attackers to execute arbitrary code via a crafted request.

🔗 NVD Entry

Mitigation

  • Enforce HTTPS (5986).
  • Disable basic/NTLM if not required.
  • Use endpoint protection and event logging.

TL;DR

  • Service: Windows Remote Management (WinRM)
  • Default Ports: 5985 (HTTP), 5986 (HTTPS)
  • Risks: Unauthorized remote code execution, information disclosure
  • Mitigation: Use HTTPS (5986), restrict access, enforce strong authentication, monitor logs