Class: Metasploit::Framework::LoginScanner::WinRM

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::WinRM

Defined in:

lib/metasploit/framework/login_scanner/winrm.rb

Overview

Windows Remote Management login scanner

Constant Summary

DEFAULT_PORT =

The default port where WinRM listens. This is what you get on v1.1+ with ‘winrm quickconfig`. Note that before v1.1, the default was 80

5985

DEFAULT_REALM =

The default realm is WORKSTATION which tells Windows authentication that it is a Local Account.

'WORKSTATION'

DEFAULT_SSL_PORT =

The default port where WinRM listens when SSL is enabled. Note that before v1.1, the default was 443

5986

PRIVATE_TYPES =

[ :password ]

LIKELY_PORTS =

[ 80, 443, 5985, 5986 ]

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::LIKELY_SERVICE_NAMES

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #method=(_) ⇒ Object

  The method must be “POST”, so don’t let the user change it.

• #parse_auth_methods(resp) ⇒ Object
• #send_request(opts) ⇒ Object

  send an HTTP request that WinRM would consider as valid (SOAP XML in the message matching the XML schema definition).

• #set_sane_defaults ⇒ Object

Methods inherited from HTTP

#attempt_login, #authentication_required?, #check_setup

Instance Method Details

#method=(_) ⇒ Object

The method must be “POST”, so don’t let the user change it

Raises:

• (RuntimeError) —

  Unconditionally

# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 79

def method=(_)
  raise RuntimeError, "Method must be POST for WinRM"
end

#parse_auth_methods(resp) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 43

def parse_auth_methods(resp)
  return [] unless resp and resp.code == 401
  methods = []
  methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate"
  methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos"
  methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic"
  return methods
end

#send_request(opts) ⇒ Object

send an HTTP request that WinRM would consider as valid (SOAP XML in the message matching the XML schema definition)

# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 53

def send_request(opts)
  allowed_auth_methods = parse_auth_methods(super(opts.merge({ 'authenticate' => false })))

  if kerberos_authenticator_factory != nil
    unless allowed_auth_methods.include? 'Kerberos'
      raise RuntimeError, "Kerberos requested, but not available"
    end
    opts['preferred_auth'] = 'Kerberos'
  elsif allowed_auth_methods.include? 'Negotiate'
    opts['preferred_auth'] = 'Negotiate'
  elsif allowed_auth_methods.include? 'Basic'
    # Straight up hack since if Basic auth is used winrm complains about the content size being 0
    # The error message actually complains about the Content-Size header not being set even though it is
    # but it doesn't like it being 0 and other auth methods fail with the supplied data to get around it
    # So only if "Basic" is selected as the preferred option do we add this extra stuff as a workaround
    opts['preferred_auth'] = 'Basic'
    opts['headers'] ||= { }
    opts['ctype'] = 'application/soap+xml;charset=UTF-8'
    opts['data'] = wsman_identity_request
    opts['headers']['Content-Length'] = opts['data'].length
  end
  super
end

#set_sane_defaults ⇒ Object

# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 36

def set_sane_defaults
  self.uri = "/wsman" if self.uri.nil?
  @method = "POST".freeze

  super
end