Most used methods:

• RDP
• WinRM
• WMI

RDP

Port: TCP 3389

Installed by default on Windows

Uses Network Level Authentication (NLA)

Nmap script

nmap -sV -sC $HOST -p3389 --script rdp*

RDP Security Check

A perl script: ‣ allows to dump security settings of RDP servers based on the handshakes.

# Install requisites
cpan
install Encoding::BER
# Install tool
git clone <https://github.com/CiscoCXSecurity/rdp-sec-check.git> && cd rdp-sec-check
# Run
./rdp-sec-check.pl $HOST

Client

xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248

WinRM