Windows Remote Management - Detection

ID: winrm-detect

Severity: info

Author: pussycat0x

Tags: network,winrm,windows

Description

Detects Windows Remote Management (WinRM) by checking HTTP response headers on ports 5985 (HTTP) and 5986 (HTTPS).

YAML Source

id: winrm-detect

info:
  name: Windows Remote Management - Detection
  author: pussycat0x
  severity: info
  description: |
    Detects Windows Remote Management (WinRM) by checking HTTP response headers on ports 5985 (HTTP) and 5986 (HTTPS).
  metadata:
    max-request: 1
    verified: true
    shodan-query: product:"WinRM"
  tags: network,winrm,windows

http:
  - method: POST
    path:
      - "{{BaseURL}}/wsman"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 401

      - type: regex
        part: header
        regex:
          - 'Microsoft-HTTPAPI\/[0-9\.]+'

      - type: word
        part: header
        words:
          - "Www-Authenticate: NTLM"
          - "Www-Authenticate: Negotiate"
        condition: or
# digest: 4b0a00483046022100eac570d9b3075a685e3272c7187bbf9188fc78918a3c90940596b831b97594700221009718b3f625d4c366cc2d750b15f8065f71533c23e8c5ea508dace8ecbe9584bb:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/technologies/winrm-detect.yaml"

View on Github