Module: Msf::Exploit::Remote::WinRM

Includes:
Exploit::Remote::NTLM::Client, HttpClient, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage
Defined in:
lib/msf/core/exploit/remote/winrm.rb

Instance Attribute Summary

Attributes included from HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#check_winrm_parametersObject



44
45
46
47
48
49
50
51
52
53
# File 'lib/msf/core/exploit/remote/winrm.rb', line 44

def check_winrm_parameters
  if datastore['Winrm::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
    fail_with(Msf::Exploit::Failure::BadConfig, 'The Winrm::Rhostname option is required when using Kerberos authentication.') if datastore['Winrm::Rhostname'].blank?
    fail_with(Msf::Exploit::Failure::BadConfig, 'The DOMAIN option is required when using Kerberos authentication.') if datastore['DOMAIN'].blank?
    offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Winrm::KrbOfferedEncryptionTypes'])
    fail_with(Msf::Exploit::Failure::BadConfig, 'At least one encryption type is required when using Kerberos authentication.') if offered_etypes.empty?
  else
    fail_with(Msf::Exploit::Failure::BadConfig, 'The PASSWORD option is required unless using Kerberos authentication.') if datastore['PASSWORD'].blank?
  end
end

#create_winrm_connectionNet::MsfWinRM::RexWinRMConnection

Sets up a connection to a WinRM server, based on the datastore parameters May use NTLM or Kerberos auth, depending on the params

Returns:

  • (Net::MsfWinRM::RexWinRMConnection)

    Connection to the WinRM server



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'lib/msf/core/exploit/remote/winrm.rb', line 58

def create_winrm_connection
  rhost = datastore['RHOST']
  rport = datastore['RPORT']
  uri = datastore['URI']
  ssl = datastore['SSL']
  schema = ssl ? 'https' : 'http'
  endpoint = URI.join("#{schema}://#{rhost}:#{rport}", uri)
  opts = {
    endpoint: endpoint,
    host: rhost,
    port: rport,
    proxies: datastore['Proxies'],
    uri: uri,
    ssl: ssl,
    transport: :rexhttp,
    no_ssl_peer_verification: true,
    operation_timeout: 1,
    timeout: 20,
    retry_limit: 1,
    realm: datastore['DOMAIN']
  }
  case datastore['Winrm::Auth']
  when Msf::Exploit::Remote::AuthOption::KERBEROS
    kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
      host: datastore['DomainControllerRhost'].blank? ? nil : datastore['DomainControllerRhost'],
      hostname: datastore['Winrm::Rhostname'],
      proxies: datastore['Proxies'],
      realm: datastore['DOMAIN'],
      username: datastore['USERNAME'],
      password: datastore['PASSWORD'],
      timeout: 20, # datastore['timeout']
      framework: framework,
      framework_module: self,
      cache_file: datastore['Winrm::Krb5Ccname'].blank? ? nil : datastore['Winrm::Krb5Ccname'],
      offered_etypes: Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Winrm::KrbOfferedEncryptionTypes']),
      mutual_auth: true,
      use_gss_checksum: true
    )
    opts = opts.merge({
      user: '', # Need to provide it, otherwise the WinRM module complains
      password: '', # Need to provide it, otherwise the WinRM module complains
      kerberos_authenticator: kerberos_authenticator,
      vhost: datastore['RHOSTNAME']
    })
  else
    opts = opts.merge({
      user: datastore['USERNAME'],
      password: datastore['PASSWORD']
    })
  end

  return Net::MsfWinRM::RexWinRMConnection.new(opts)
end

#initialize(info = {}) ⇒ Object



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/msf/core/exploit/remote/winrm.rb', line 21

def initialize(info = {})
  super
  register_options(
    [
      Opt::RPORT(5985),
      OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKSTATION']),
      OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]),
      OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]),
      OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ]),
    ], self.class
  )

  register_advanced_options(
    [
      *kerberos_storage_options(protocol: 'Winrm'),
      *kerberos_auth_options(protocol: 'Winrm', auth_methods: Msf::Exploit::Remote::AuthOption::WINRM_OPTIONS),
    ],
  )

  register_autofilter_ports([ 80,443,5985,5986 ])
  register_autofilter_services(%W{ winrm })
end

#make_unauthenticated_request(timeout = 20) ⇒ Rex::Proto::Http::Response

Make an unauthenticated request to the WinRM server

Parameters:

  • timeout (Integer) (defaults to: 20)

    Timeout for the request in seconds

Returns:



115
116
117
118
119
120
121
122
123
# File 'lib/msf/core/exploit/remote/winrm.rb', line 115

def make_unauthenticated_request(timeout = 20)
  opts = {
    'uri' => datastore['URI'],
    'method' => 'POST',
    'data' => Rex::Text.rand_text_alpha(8),
    'ctype' => "application/soap+xml;charset=UTF-8"
  }
  send_request_cgi(opts,timeout)
end

#parse_auth_methods(resp) ⇒ Array<String>

Parse the available auth methods from a WinRM response

Parameters:

Returns:

  • (Array<String>)

    The auth methods parsed from the HTTP response



128
129
130
131
132
133
134
135
# File 'lib/msf/core/exploit/remote/winrm.rb', line 128

def parse_auth_methods(resp)
  return [] unless resp and resp.code == 401
  methods = []
  methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate"
  methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos"
  methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic"
  return methods
end

#parse_wql_hash(response) ⇒ Rex::Text::Table

Parse out the results from a WQL query

Parameters:

  • The (Hash)

    response from a call to Connection.run_wql

Returns:

  • (Rex::Text::Table)

    The results from the WQL query in table form



140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# File 'lib/msf/core/exploit/remote/winrm.rb', line 140

def parse_wql_hash(response)
  columns = []
  rows = []
  fragments = response[:xml_fragment]
  fragments.each do |fragment|
    row_data = []
    fragment.keys.each do |key|
      unless key.starts_with?('@') # xmlns stuff
        columns << key.to_s
        row_data << fragment[key]
      end
    end
    rows << row_data
  end

  columns.uniq!
  response_data = Rex::Text::Table.new(
    'Header'    => "#{datastore['WQL']} (#{rhost})",
    'Indent'    => 1,
    'Columns'   => columns
  )
  rows.each do |row|
    response_data << row
  end
  return response_data
end

#wmi_namespaceString

The namespace for WQL queries

Returns:

  • (String)

    The WMI namespace



169
170
171
172
173
# File 'lib/msf/core/exploit/remote/winrm.rb', line 169

def wmi_namespace
  return datastore['NAMESPACE'] if datastore['NAMESPACE']
  return @namespace_override if @namespace_override
  return "root/cimv2"
end