Add the WinRM login module

David Maloney · David Maloney · commit a15c35091d69 · 2012-10-24T11:25:39.000-05:00
diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb
@@ -20,11 +20,7 @@ def initialize(info = {})
 			super
 			register_options(
 				[
-					Opt::RHOST,
 					Opt::RPORT(5985),
-					OptString.new('VHOST', [ false, "HTTP server virtual host" ]),
-					OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
-					OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
 					OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']),
 					OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]),
 					OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]),
diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb
@@ -0,0 +1,83 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'rex/proto/ntlm/message'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::WinRM
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::AuthBrute
+
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'           => 'WinRM Login Utility',
+			'Version'        => '$Revision$',
+			'Description'    => %q{
+				This module attempts to authenticate to a WinRM service. It currently
+				works only if the remote end allows Negotiate(NTLM) authentication.
+				Kerberos is not currently supported.
+				},
+			'References'  =>
+				[
+
+				],
+			'Author'         => [ 'thelightcosine' ],
+			'References'     =>
+				[
+					[ 'CVE', '1999-0502'] # Weak password
+				],
+			'License'        => MSF_LICENSE
+		)
+
+	end
+
+
+	def run_host(ip)
+		unless accepts_ntlm_auth
+			print_error "The Remote WinRM  server  (#{ip} does not appear to allow Negotiate(NTLM) auth"
+			return
+		end
+		each_user_pass do |user, pass|
+			resp,c = send_request_ntlm(test_request)
+			if resp.nil?
+				print_error "Got no reply from the server, connection may have timed out"
+				return
+			elsif  resp.code == 200
+				cred_hash = {
+					:host              => ip,
+					:port              => rport,
+					:sname          => 'winrm',
+					:pass              => pass,
+					:user              => user,
+					:source_type => "user_supplied",
+					:active            => true
+				}
+				report_auth_info(cred_hash)
+				print_good "Valid credential found: #{user}:#{pass}"
+			elsif resp.code == 401
+				print_error "Login failed: #{user}:#{pass}"
+			else
+				print_error "Recieved unexpected Response Code: #{resp.code}"
+			end
+		end
+	end
+
+
+	def test_request
+		data = winrm_wql_msg("Select Name,Status from Win32_Service")
+	end
+
+end
