From d2d137ce68c0aeee5748f67556396935df185484 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 31 Oct 2012 15:10:45 -0500 Subject: [PATCH] adds the WinRM CMD execution module --- modules/auxiliary/scanner/winrm/winrm_cmd.rb | 63 ++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 modules/auxiliary/scanner/winrm/winrm_cmd.rb diff --git a/modules/auxiliary/scanner/winrm/winrm_cmd.rb b/modules/auxiliary/scanner/winrm/winrm_cmd.rb new file mode 100644 index 0000000000..de2a1e6ee4 --- /dev/null +++ b/modules/auxiliary/scanner/winrm/winrm_cmd.rb @@ -0,0 +1,63 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' +require 'rex/proto/ntlm/message' + + + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::WinRM + include Msf::Auxiliary::Report + + + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'WinRM Command Runner', + 'Version' => '$Revision$', + 'Description' => %q{ + This module runs arbitrary Windows commands using the WinRM Service + }, + 'Author' => [ 'thelightcosine' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptString.new('CMD', [ true, "The windows command to run", "ipconfig /all" ]), + OptString.new('USERNAME', [ true, "The username to authenticate as"]), + OptString.new('PASSWORD', [ true, "The password to authenticate with"]), + OptBool.new('SAVE_OUTPUT', [true, "Store output as loot", false]) + ], self.class) + end + + + def run_host(ip) + unless accepts_ntlm_auth + print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" + return + end + streams = winrm_run_cmd(datastore['CMD']) + print_error streams['stderr'] unless streams['stderr'] == '' + print_good streams['stdout'] + if datastore['SAVE_OUTPUT'] + path = store_loot("winrm.cmd_results", "text/plain", ip, streams['stdout'], "winrm_cmd_results.txt", "WinRM CMD Results") + print_status "Results saved to #{path}" + end + end + + + +end