logo

Port 5986 – WSMAN-SSL (Windows Remote Management)

Service:

wsman-ssl

Protocol:

TCP

Port:

5986

Used for:

Windows Remote Management over HTTPS

Why It’s Open

Port 5986 is used by Windows Remote Management (WinRM) over HTTPS. WinRM is Microsoft’s implementation of the WS-Management protocol, providing secure remote administration of Windows systems. This port enables PowerShell remoting, Windows management tools, and enterprise administration solutions.

Common Risks

  • Remote code execution
    PowerShell remoting allows arbitrary command execution
  • Credential attacks
    Brute force against Windows user accounts
  • Lateral movement
    Authenticated access enables network traversal
  • Privilege escalation
    WinRM often runs with high privileges
  • Certificate vulnerabilities
    SSL/TLS misconfigurations expose traffic
  • Authentication bypass
    Vulnerabilities in WS-Management implementation
  • Information disclosure
    System enumeration through management interfaces

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Service Detection:

Terminal window
nmap -sV -p 5986

WinRM Connection Test:

Terminal window
winrs -r:https://:5986 -u:username -p:password cmd

PowerShell Remoting:

Terminal window
Enter-PSSession -ComputerName  -Port 5986 -UseSSL

What to Look For

CheckpointWhat it means
Service versionIdentify software version and patch level
AuthenticationCheck for default or weak credentials
SSL/TLS configVerify encryption settings if applicable
Access controlsTest for proper authorization mechanisms

Mitigation

  • Keep software updated
    Apply latest security patches
  • Strong authentication
    Use complex passwords and 2FA
  • Access restrictions
    Limit service to trusted networks
  • Monitor activity
    Log and review service usage
  • Disable if unused
    Remove unnecessary services

TL;DR

  • Port 5986 = Windows Remote Management over HTTPS
  • PowerShell remoting enables remote code execution
  • High-value target for lateral movement and privilege escalation
  • Requires strong authentication and network access controls

Known CVEs and Exploits

  • CVE-2020-1472 – Zerologon vulnerability often combined with WinRM for domain compromise
  • CVE-2021-31166 – HTTP.sys remote code execution affecting WinRM services
  • Authentication bypass techniques – Pass-the-hash and pass-the-ticket attacks targeting WinRM
  • PowerShell-based attacks – Empire, Cobalt Strike, and other frameworks abuse WinRM for C2