Class: Metasploit::Framework::LoginScanner::WinRM

Inherits:
HTTP
  • Object
show all
Defined in:
lib/metasploit/framework/login_scanner/winrm.rb

Overview

Windows Remote Management login scanner

Constant Summary collapse

DEFAULT_PORT =

The default port where WinRM listens. This is what you get on v1.1+ with `winrm quickconfig`. Note that before v1.1, the default was 80

5985
DEFAULT_REALM =

The default realm is WORKSTATION which tells Windows authentication that it is a Local Account.

'WORKSTATION'
DEFAULT_SSL_PORT =

The default port where WinRM listens when SSL is enabled. Note that before v1.1, the default was 443

5986
PRIVATE_TYPES =
[ :password ]
LIKELY_PORTS =
[ 80, 443, 5985, 5986 ]
REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Constants inherited from HTTP

HTTP::LIKELY_SERVICE_NAMES

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_username, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary collapse

Methods inherited from HTTP

#attempt_login, #check_setup

Instance Method Details

#method=(_) ⇒ Object

The method must be “POST”, so don't let the user change it

Raises:

  • (RuntimeError)

    Unconditionally


73
74
75
# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 73

def method=(_)
  raise RuntimeError, "Method must be POST for WinRM"
end

#parse_auth_methods(resp) ⇒ Object


42
43
44
45
46
47
48
49
# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 42

def parse_auth_methods(resp)
  return [] unless resp and resp.code == 401
  methods = []
  methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate"
  methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos"
  methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic"
  return methods
end

#send_request(opts) ⇒ Object

send an HTTP request that WinRM would consider as valid (SOAP XML in the message matching the XML schema definition)


52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 52

def send_request(opts)
  allowed_auth_methods = parse_auth_methods(super(opts.merge({ 'authenticate' => false })))

  if allowed_auth_methods.include? 'Negotiate'
    opts['preferred_auth'] = 'Negotiate'
  elsif allowed_auth_methods.include? 'Basic'
    # Straight up hack since if Basic auth is used winrm complains about the content size being 0
    # The error message actually complains about the Content-Size header not being set even though it is
    # but it doesn't like it being 0 and other auth methods fail with the supplied data to get around it
    # So only if "Basic" is selected as the preferred option do we add this extra stuff as a workaround
    opts['preferred_auth'] = 'Basic'
    opts['headers'] ||= { }
    opts['ctype'] = 'application/soap+xml;charset=UTF-8'
    opts['data'] = wsman_identity_request
    opts['headers']['Content-Length'] = opts['data'].length
  end
  super
end

#set_sane_defaultsObject


35
36
37
38
39
40
# File 'lib/metasploit/framework/login_scanner/winrm.rb', line 35

def set_sane_defaults
  self.uri = "/wsman" if self.uri.nil?
  @method = "POST".freeze

  super
end