NetExec/cme/protocols/winrm.py


import requests
import logging
import configparser
from impacket.smbconnection import SMBConnection, SessionError
from cme.connection import *
from cme.helpers.logger import highlight
from cme.logger import CMEAdapter
from io import StringIO
from pypsrp.client import Client

# The following disables the InsecureRequests warning and the 'Starting new HTTPS connection' log message
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

class SuppressFilter(logging.Filter):
    # remove warning https://github.com/diyan/pywinrm/issues/269
    def filter(self, record):
        return 'wsman' not in record.getMessage()

class winrm(connection):

    def __init__(self, args, db, host):
        self.domain = None

        connection.__init__(self, args, db, host)

    @staticmethod
    def proto_args(parser, std_parser, module_parser):
        winrm_parser = parser.add_parser('winrm', help="own stuff using WINRM", parents=[std_parser, module_parser])
        winrm_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
        winrm_parser.add_argument("--no-bruteforce", action='store_true', help='No spray when using file for username and password (user1 => password1, user2 => password2')
        winrm_parser.add_argument("--continue-on-success", action='store_true', help="continues authentication attempts even after successes")
        dgroup = winrm_parser.add_mutually_exclusive_group()
        dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, default=None, help="domain to authenticate to")
        dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target')

        cgroup = winrm_parser.add_argument_group("Command Execution", "Options for executing commands")
        cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output')
        cgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")
        cgroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command')

        return parser

    def proto_flow(self):
        self.proto_logger()
        if self.create_conn_obj():
            self.enum_host_info()
            self.print_host_info()
            if self.login():
                if hasattr(self.args, 'module') and self.args.module:
                    self.call_modules()
                else:
                    self.call_cmd_args()

    def proto_logger(self):
        self.logger = CMEAdapter(extra={'protocol': 'WINRM',
                                        'host': self.host,
                                        'port': 'NONE',
                                        'hostname': 'NONE'})

    def enum_host_info(self):
        if self.args.domain:
            self.domain = self.args.domain
            self.logger.extra['hostname'] = self.hostname
        else:
            try:
                smb_conn = SMBConnection(self.host, self.host, None)
                try:
                    smb_conn.login('', '')
                except SessionError as e:
                    if "STATUS_ACCESS_DENIED" in e.message:
                        pass

                self.domain = smb_conn.getServerDomain()
                self.hostname = smb_conn.getServerName()

                self.logger.extra['hostname'] = self.hostname

                try:
                    smb_conn.logoff()
                except:
                    pass

            except Exception as e:
                logging.debug("Error retrieving host domain: {} specify one manually with the '-d' flag".format(e))

            if self.args.domain:
                self.domain = self.args.domain

            if self.args.local_auth:
                self.domain = self.hostname

    def print_host_info(self):
        self.logger.info(self.endpoint)

    def create_conn_obj(self):
        endpoints = [
            'https://{}:5986/wsman'.format(self.host),
            'http://{}:5985/wsman'.format(self.host)
        ]

        for url in endpoints:
            try:
                requests.get(url, verify=False, timeout=10)
                self.endpoint = url
                if self.endpoint.startswith('https://'):
                    self.port = 5986
                else:
                    self.port = 5985

                self.logger.extra['port'] = self.port

                return True
            except Exception as e:
                if 'Max retries exceeded with url' not in str(e):
                    logging.debug('Error in WinRM create_conn_obj:' + str(e))

        return False

    def plaintext_login(self, domain, username, password):
        try:
            from urllib3.connectionpool import log
            log.addFilter(SuppressFilter())
            self.conn = Client(self.host,
                                        auth='ntlm',
                                        username=username,
                                        password=password,
                                        ssl=False)

            # TO DO: right now we're just running the hostname command to make the winrm library auth to the server
            # we could just authenticate without running a command :) (probably)
            self.conn.execute_ps("hostname")
            self.admin_privs = True
            self.logger.success(u'{}\\{}:{} {}'.format(self.domain,
                                                       username,
                                                       password,
                                                       highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')))
            if not self.args.continue_on_success:
                return True

        except Exception as e:
            self.logger.error(u'{}\\{}:{} "{}"'.format(self.domain,
                                                       username,
                                                       password,
                                                       e))

            return False

    def execute(self, payload=None, get_output=False):
        try:
            r = self.conn.execute_cmd(self.args.execute)
        except:
            self.logger.debug('Cannot execute cmd command, probably because user is not local admin, but powershell command should be ok !')
            r = self.conn.execute_ps(self.args.execute)
        self.logger.success('Executed command')
        self.logger.highlight(r[0])

    def ps_execute(self, payload=None, get_output=False):
        r = self.conn.execute_ps(self.args.ps_execute)
        self.logger.success('Executed command')
        self.logger.highlight(r[0])
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`import requests`
			`import logging`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`import configparser`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`from impacket.smbconnection import SMBConnection, SessionError`
			`from cme.connection import *`
			`from cme.helpers.logger import highlight`
			`from cme.logger import CMEAdapter`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`from io import StringIO`
			`from pypsrp.client import Client`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
			`# The following disables the InsecureRequests warning and the 'Starting new HTTPS connection' log message`
			`from requests.packages.urllib3.exceptions import InsecureRequestWarning`
			`requests.packages.urllib3.disable_warnings(InsecureRequestWarning)`

Fix winrm warning from pywinrm 2020-04-28 11:24:01 +00:00			`class SuppressFilter(logging.Filter):`
			`# remove warning https://github.com/diyan/pywinrm/issues/269`
			`def filter(self, record):`
			`return 'wsman' not in record.getMessage()`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
			`class winrm(connection):`

			`def __init__(self, args, db, host):`
			`self.domain = None`

			`connection.__init__(self, args, db, host)`

			`@staticmethod`
			`def proto_args(parser, std_parser, module_parser):`
			`winrm_parser = parser.add_parser('winrm', help="own stuff using WINRM", parents=[std_parser, module_parser])`
Update winrm.py Closes https://github.com/byt3bl33d3r/CrackMapExec/issues/310 2019-08-16 13:58:26 +00:00			`winrm_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')`
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2 2020-04-30 14:06:57 +00:00			`winrm_parser.add_argument("--no-bruteforce", action='store_true', help='No spray when using file for username and password (user1 => password1, user2 => password2')`
			`winrm_parser.add_argument("--continue-on-success", action='store_true', help="continues authentication attempts even after successes")`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`dgroup = winrm_parser.add_mutually_exclusive_group()`
			`dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, default=None, help="domain to authenticate to")`
			`dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target')`
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2 2020-04-30 14:06:57 +00:00
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`cgroup = winrm_parser.add_argument_group("Command Execution", "Options for executing commands")`
			`cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output')`
			`cgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")`
			`cgroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command')`

			`return parser`

			`def proto_flow(self):`
			`self.proto_logger()`
			`if self.create_conn_obj():`
			`self.enum_host_info()`
			`self.print_host_info()`
			`if self.login():`
			`if hasattr(self.args, 'module') and self.args.module:`
			`self.call_modules()`
			`else:`
			`self.call_cmd_args()`

			`def proto_logger(self):`
			`self.logger = CMEAdapter(extra={'protocol': 'WINRM',`
			`'host': self.host,`
			`'port': 'NONE',`
			`'hostname': 'NONE'})`

			`def enum_host_info(self):`
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`if self.args.domain:`
			`self.domain = self.args.domain`
			`self.logger.extra['hostname'] = self.hostname`
			`else:`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`try:`
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`smb_conn = SMBConnection(self.host, self.host, None)`
			`try:`
			`smb_conn.login('', '')`
			`except SessionError as e:`
			`if "STATUS_ACCESS_DENIED" in e.message:`
			`pass`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`self.domain = smb_conn.getServerDomain()`
			`self.hostname = smb_conn.getServerName()`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`self.logger.extra['hostname'] = self.hostname`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`try:`
			`smb_conn.logoff()`
			`except:`
			`pass`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`except Exception as e:`
			`logging.debug("Error retrieving host domain: {} specify one manually with the '-d' flag".format(e))`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`if self.args.domain:`
			`self.domain = self.args.domain`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN 2020-04-29 10:28:47 +00:00			`if self.args.local_auth:`
			`self.domain = self.hostname`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
			`def print_host_info(self):`
			`self.logger.info(self.endpoint)`

			`def create_conn_obj(self):`
			`endpoints = [`
			`'https://{}:5986/wsman'.format(self.host),`
			`'http://{}:5985/wsman'.format(self.host)`
			`]`

			`for url in endpoints:`
			`try:`
			`requests.get(url, verify=False, timeout=10)`
			`self.endpoint = url`
			`if self.endpoint.startswith('https://'):`
			`self.port = 5986`
			`else:`
			`self.port = 5985`

			`self.logger.extra['port'] = self.port`

			`return True`
			`except Exception as e:`
			`if 'Max retries exceeded with url' not in str(e):`
			`logging.debug('Error in WinRM create_conn_obj:' + str(e))`

			`return False`

			`def plaintext_login(self, domain, username, password):`
			`try:`
Fix winrm warning from pywinrm 2020-04-28 11:24:01 +00:00			`from urllib3.connectionpool import log`
			`log.addFilter(SuppressFilter())`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`self.conn = Client(self.host,`
			`auth='ntlm',`
			`username=username,`
			`password=password,`
			`ssl=False)`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
			`# TO DO: right now we're just running the hostname command to make the winrm library auth to the server`
			`# we could just authenticate without running a command :) (probably)`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`self.conn.execute_ps("hostname")`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`self.admin_privs = True`
update python3 2019-11-10 23:12:35 +00:00			`self.logger.success(u'{}\\{}:{} {}'.format(self.domain,`
			`username,`
			`password,`
Fixed up @aj-cgtech changes 2018-03-01 19:36:17 +00:00			`highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')))`
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2 2020-04-30 14:06:57 +00:00			`if not self.args.continue_on_success:`
			`return True`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
			`except Exception as e:`
update python3 2019-11-10 23:12:35 +00:00			`self.logger.error(u'{}\\{}:{} "{}"'.format(self.domain,`
			`username,`
			`password,`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`e))`

			`return False`

			`def execute(self, payload=None, get_output=False):`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`try:`
			`r = self.conn.execute_cmd(self.args.execute)`
			`except:`
			`self.logger.debug('Cannot execute cmd command, probably because user is not local admin, but powershell command should be ok !')`
			`r = self.conn.execute_ps(self.args.execute)`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`self.logger.success('Executed command')`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`self.logger.highlight(r[0])`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
			`def ps_execute(self, payload=None, get_output=False):`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`r = self.conn.execute_ps(self.args.ps_execute)`
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00			`self.logger.success('Executed command')`
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp 2020-04-28 19:30:18 +00:00			`self.logger.highlight(r[0])`