Hi,
WinRM is a remote management service for Windows that is installed.
As far as I know, this service authenticated services are tied to an HTTP or HTTPS SOAP listener and support Kerberos and NTLM authentication by default. In older versions of WinRM, it listens on 80 and 443 respectively. On newer versions, it listens on 5985 and 5986 respectively.
Also please refer to the link below. Then information may be helpful to you.
https://jstuyts.github.io/Secure-WinRM-Manual/server-configuration.html
Best Regards,
Carl
WinRM unsafe HTTP methods supported & server version disclosed
Endang Sulaiman
1
Reputation point
Hi,
I was told that port 5985 and 47001 have following 2 vulnerabilities:
- multiple unsafe HTTP methods are supported (e.g., DELETE, TRACE)
- server version is disclosed on HTTP response header (Microsoft-HTTPAPI/2.0)
After reading the internet, I come to know these 2 ports are used by WinRM.
Can I clarify if first item is true (WinRM really supports those HTTP methods), or is it just the way the test is conducted (if you submit a request with DELETE method and don't get 405 code it does not always mean that DELETE method is supported).
As for the second item, is there a way to remove it?
Thanks a lot in advance.
1 answer
Sort by: Most helpful
-
Carl Fan 6,836 Reputation points
2020-08-14T09:59:17.703+00:00