The main components used for remote management of Windows and Windows servers are the following:

  • Remote Desktop Protocol (RDP)

  • Windows Remote Management (WinRM)

  • Windows Management Instrumentation (WMI)


nmap -sV -sC -p3389 --script rdp*
nmap -sV -sC -p3389 --packet-trace --disable-arp-ping -n

We can see that the RDP cookies (mstshash=nmap) used by Nmap to interact with the RDP server can be identified by threat hunters and various security services such as Endpoint Detection and Response (EDR), and can lock us out as penetration testers on hardened networks.

RDP Security Check

RFS85@htb[/htb]$ git clone && cd rdp-sec-check
RFS85@htb[/htb]$ ./
xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:


nmap -sV -sC -p5985,5986 --disable-arp-ping -n
evil-winrm -i -u Cry0l1t3 -p P455w0rD!


/usr/share/doc/python3-impacket/examples/ Cry0l1t3:"P455w0rD!"@ "hostname"

Last updated