From c91f0ca535547d5598382f590a887cbcea25aafe Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Tue, 30 Oct 2012 09:13:55 -0500
Subject: [PATCH 1/4] Adds the WQL execution module

---
 modules/auxiliary/scanner/winrm/winrm_wql.rb | 69 ++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 modules/auxiliary/scanner/winrm/winrm_wql.rb

diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb
new file mode 100644
index 0000000000..cb33fdb476
--- /dev/null
+++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb
@@ -0,0 +1,69 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'rex/proto/ntlm/message'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::WinRM
+	include Msf::Auxiliary::Report
+
+
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'           => 'WinRM WQL Query Runner',
+			'Version'        => '$Revision$',
+			'Description'    => %q{
+				This module runs WQL queries against remote WinRM Services. 
+				Authentication is required. Currently only works with NTLM auth.
+				},
+			'Author'         => [ 'thelightcosine' ],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				OptString.new('WQL', [ true, "The WQL query to run", "Select Name,Status from Win32_Service" ]),
+				OptString.new('USERNAME', [ true, "The username to authenticate as"]),
+				OptString.new('PASSWORD', [ true, "The password to authenticate with"])
+			], self.class)
+	end
+
+
+	def run_host(ip)
+		unless accepts_ntlm_auth
+			print_error "The Remote WinRM  server  (#{ip} does not appear to allow Negotiate(NTLM) auth"
+			return
+		end
+		
+		resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL']))
+		if resp.code == 401
+			print_error "Login Failure! Recheck the supplied credentials."
+			return
+		end
+
+		unless resp.code == 200
+			print_error "Got unexpected response from #{ip}: \n #{resp.to_s}"
+			return
+		end
+		resp_tbl = parse_wql_response(resp)
+		print_good resp_tbl.to_s
+		store_loot("winrm.wql_results", "text/csv", ip, resp_tbl.to_csv, "winrm_wql_results.csv", "WinRM WQL Query Results")
+	end
+
+
+
+end

From d3bb2b489153d5e392768451d1e9ef8357bd2d6f Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Tue, 30 Oct 2012 11:08:57 -0500
Subject: [PATCH 2/4] minor fixups

---
 modules/auxiliary/scanner/winrm/winrm_wql.rb | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb
index cb33fdb476..8cb82a2db9 100644
--- a/modules/auxiliary/scanner/winrm/winrm_wql.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
 			'Name'           => 'WinRM WQL Query Runner',
 			'Version'        => '$Revision$',
 			'Description'    => %q{
-				This module runs WQL queries against remote WinRM Services. 
+				This module runs WQL queries against remote WinRM Services.
 				Authentication is required. Currently only works with NTLM auth.
 				},
 			'Author'         => [ 'thelightcosine' ],
@@ -48,8 +48,12 @@ class Metasploit3 < Msf::Auxiliary
 			print_error "The Remote WinRM  server  (#{ip} does not appear to allow Negotiate(NTLM) auth"
 			return
 		end
-		
+
 		resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL']))
+		if resp.nil?
+			print_error "Got no reply from the server"
+			return
+		end
 		if resp.code == 401
 			print_error "Login Failure! Recheck the supplied credentials."
 			return
@@ -61,7 +65,8 @@ class Metasploit3 < Msf::Auxiliary
 		end
 		resp_tbl = parse_wql_response(resp)
 		print_good resp_tbl.to_s
-		store_loot("winrm.wql_results", "text/csv", ip, resp_tbl.to_csv, "winrm_wql_results.csv", "WinRM WQL Query Results")
+		path = store_loot("winrm.wql_results", "text/csv", ip, resp_tbl.to_csv, "winrm_wql_results.csv", "WinRM WQL Query Results")
+		print_status "Results saved to #{path}"
 	end
 
 

From c5262a3e6419b886629863415c2168e2956346e8 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Wed, 31 Oct 2012 15:11:00 -0500
Subject: [PATCH 3/4] Update the description about AllowUnencrypted

---
 modules/auxiliary/scanner/winrm/winrm_login.rb | 10 ++++++++--
 modules/auxiliary/scanner/winrm/winrm_wql.rb   | 14 +++++++++++---
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb
index 198bdd83d6..146a863da1 100644
--- a/modules/auxiliary/scanner/winrm/winrm_login.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_login.rb
@@ -28,8 +28,9 @@ class Metasploit3 < Msf::Auxiliary
 			'Description'    => %q{
 				This module attempts to authenticate to a WinRM service. It currently
 				works only if the remote end allows Negotiate(NTLM) authentication.
-				Kerberos is not currently supported.
-				},
+				Kerberos is not currently supported.  Please note: in order to use this
+				module, the 'AllowUnencrypted' winrm option must be set.
+			},
 			'Author'         => [ 'thelightcosine' ],
 			'References'     =>
 				[
@@ -77,3 +78,8 @@ class Metasploit3 < Msf::Auxiliary
 	end
 
 end
+
+=begin
+To set the AllowUncrypted option:
+winrm set winrm/config/service @{AllowUnencrypted="true"}
+=end
diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb
index 8cb82a2db9..5cbdc5452d 100644
--- a/modules/auxiliary/scanner/winrm/winrm_wql.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb
@@ -29,7 +29,9 @@ class Metasploit3 < Msf::Auxiliary
 			'Description'    => %q{
 				This module runs WQL queries against remote WinRM Services.
 				Authentication is required. Currently only works with NTLM auth.
-				},
+				Please note in order to use this module, the 'AllowUnencrypted'
+				winrm option must be set.
+			},
 			'Author'         => [ 'thelightcosine' ],
 			'License'        => MSF_LICENSE
 		)
@@ -69,6 +71,12 @@ class Metasploit3 < Msf::Auxiliary
 		print_status "Results saved to #{path}"
 	end
 
-
-
 end
+
+=begin
+=begin
+To set the AllowUncrypted option:
+winrm set winrm/config/service @{AllowUnencrypted="true"}
+=end
+
+=end
\ No newline at end of file

From 834d9028cdff02453001f966822d5f553195922d Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Wed, 31 Oct 2012 15:13:21 -0500
Subject: [PATCH 4/4] Fix syntax error

---
 modules/auxiliary/scanner/winrm/winrm_wql.rb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb
index 5cbdc5452d..31fabd59ec 100644
--- a/modules/auxiliary/scanner/winrm/winrm_wql.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb
@@ -73,10 +73,7 @@ class Metasploit3 < Msf::Auxiliary
 
 end
 
-=begin
 =begin
 To set the AllowUncrypted option:
 winrm set winrm/config/service @{AllowUnencrypted="true"}
 =end
-
-=end
\ No newline at end of file