Module: Msf::Exploit::Remote::WinRM

Includes:

Exploit::Remote::NTLM::Client, HttpClient, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage

Defined in:

lib/msf/core/exploit/remote/winrm.rb

Instance Attribute Summary

Attributes included from HttpClient

#client, #cookie_jar

Instance Method Summary

• #check_winrm_parameters ⇒ Object
• #create_winrm_connection ⇒ Net::MsfWinRM::RexWinRMConnection

  Sets up a connection to a WinRM server, based on the datastore parameters May use NTLM or Kerberos auth, depending on the params.

• #initialize(info = {}) ⇒ Object
• #make_unauthenticated_request(timeout = 20) ⇒ Rex::Proto::Http::Response

  Make an unauthenticated request to the WinRM server.

• #parse_auth_methods(resp) ⇒ Array<String>

  Parse the available auth methods from a WinRM response.

• #parse_wql_hash(response) ⇒ Rex::Text::Table

  Parse out the results from a WQL query.

• #wmi_namespace ⇒ String

  The namespace for WQL queries.

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#check_winrm_parameters ⇒ Object

# File 'lib/msf/core/exploit/remote/winrm.rb', line 44

def check_winrm_parameters
  if datastore['Winrm::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
    fail_with(Msf::Exploit::Failure::BadConfig, 'The Winrm::Rhostname option is required when using Kerberos authentication.') if datastore['Winrm::Rhostname'].blank?
    fail_with(Msf::Exploit::Failure::BadConfig, 'The DOMAIN option is required when using Kerberos authentication.') if datastore['DOMAIN'].blank?
    offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Winrm::KrbOfferedEncryptionTypes'])
    fail_with(Msf::Exploit::Failure::BadConfig, 'At least one encryption type is required when using Kerberos authentication.') if offered_etypes.empty?
  else
    fail_with(Msf::Exploit::Failure::BadConfig, 'The PASSWORD option is required unless using Kerberos authentication.') if datastore['PASSWORD'].blank?
  end
end

#create_winrm_connection ⇒ Net::MsfWinRM::RexWinRMConnection

Sets up a connection to a WinRM server, based on the datastore parameters May use NTLM or Kerberos auth, depending on the params

Returns:

• (Net::MsfWinRM::RexWinRMConnection) —

  Connection to the WinRM server

# File 'lib/msf/core/exploit/remote/winrm.rb', line 58

def create_winrm_connection
  rhost = datastore['RHOST']
  rport = datastore['RPORT']
  uri = datastore['URI']
  ssl = datastore['SSL']
  schema = ssl ? 'https' : 'http'
  endpoint = URI.join("#{schema}://#{rhost}:#{rport}", uri)
  opts = {
    endpoint: endpoint,
    host: rhost,
    port: rport,
    proxies: datastore['Proxies'],
    uri: uri,
    ssl: ssl,
    transport: :rexhttp,
    no_ssl_peer_verification: true,
    operation_timeout: 1,
    timeout: 20,
    retry_limit: 1,
    realm: datastore['DOMAIN']
  }
  case datastore['Winrm::Auth']
  when Msf::Exploit::Remote::AuthOption::KERBEROS
    kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
      host: datastore['DomainControllerRhost'].blank? ? nil : datastore['DomainControllerRhost'],
      hostname: datastore['Winrm::Rhostname'],
      proxies: datastore['Proxies'],
      realm: datastore['DOMAIN'],
      username: datastore['USERNAME'],
      password: datastore['PASSWORD'],
      timeout: 20, # datastore['timeout']
      framework: framework,
      framework_module: self,
      cache_file: datastore['Winrm::Krb5Ccname'].blank? ? nil : datastore['Winrm::Krb5Ccname'],
      offered_etypes: Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Winrm::KrbOfferedEncryptionTypes']),
      mutual_auth: true,
      use_gss_checksum: true
    )
    opts = opts.merge({
      user: '', # Need to provide it, otherwise the WinRM module complains
      password: '', # Need to provide it, otherwise the WinRM module complains
      kerberos_authenticator: kerberos_authenticator,
      vhost: datastore['RHOSTNAME']
    })
  else
    opts = opts.merge({
      user: datastore['USERNAME'],
      password: datastore['PASSWORD']
    })
  end

  return Net::MsfWinRM::RexWinRMConnection.new(opts)
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/winrm.rb', line 21

def initialize(info = {})
  super
  register_options(
    [
      Opt::RPORT(5985),
      OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKSTATION']),
      OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]),
      OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]),
      OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ]),
    ], self.class
  )

  register_advanced_options(
    [
      *kerberos_storage_options(protocol: 'Winrm'),
      *kerberos_auth_options(protocol: 'Winrm', auth_methods: Msf::Exploit::Remote::AuthOption::WINRM_OPTIONS),
    ],
  )

  register_autofilter_ports([ 80,443,5985,5986 ])
  register_autofilter_services(%W{ winrm })
end

#make_unauthenticated_request(timeout = 20) ⇒ Rex::Proto::Http::Response

Make an unauthenticated request to the WinRM server

Parameters:

• timeout (Integer) (defaults to: 20) —

  Timeout for the request in seconds

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP response from an unauthenticated request

# File 'lib/msf/core/exploit/remote/winrm.rb', line 115

def make_unauthenticated_request(timeout = 20)
  opts = {
    'uri' => datastore['URI'],
    'method' => 'POST',
    'data' => Rex::Text.rand_text_alpha(8),
    'ctype' => "application/soap+xml;charset=UTF-8"
  }
  send_request_cgi(opts,timeout)
end

#parse_auth_methods(resp) ⇒ Array<String>

Parse the available auth methods from a WinRM response

Parameters:

• resp (Rex::Proto::Http::Response) —

  The HTTP response from the WinRM server

Returns:

• (Array<String>) —

  The auth methods parsed from the HTTP response

# File 'lib/msf/core/exploit/remote/winrm.rb', line 128

def parse_auth_methods(resp)
  return [] unless resp and resp.code == 401
  methods = []
  methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate"
  methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos"
  methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic"
  return methods
end

#parse_wql_hash(response) ⇒ Rex::Text::Table

Parse out the results from a WQL query

Parameters:

• The (Hash) —

  response from a call to Connection.run_wql

Returns:

• (Rex::Text::Table) —

  The results from the WQL query in table form

# File 'lib/msf/core/exploit/remote/winrm.rb', line 140

def parse_wql_hash(response)
  columns = []
  rows = []
  fragments = response[:xml_fragment]
  fragments.each do |fragment|
    row_data = []
    fragment.keys.each do |key|
      unless key.starts_with?('@') # xmlns stuff
        columns << key.to_s
        row_data << fragment[key]
      end
    end
    rows << row_data
  end

  columns.uniq!
  response_data = Rex::Text::Table.new(
    'Header'    => "#{datastore['WQL']} (#{rhost})",
    'Indent'    => 1,
    'Columns'   => columns
  )
  rows.each do |row|
    response_data << row
  end
  return response_data
end

#wmi_namespace ⇒ String

The namespace for WQL queries

Returns:

• (String) —

  The WMI namespace

# File 'lib/msf/core/exploit/remote/winrm.rb', line 169

def wmi_namespace
  return datastore['NAMESPACE'] if datastore['NAMESPACE']
  return @namespace_override if @namespace_override
  return "root/cimv2"
end