Augment winrm_auth_methods module to decode and print NTLM info

[bcoles]

Augment auxiliary/scanner/winrm/winrm_auth_methods to also decode and print NTLM domain info in the event that the target supports NTLM authentication.

Here's what looks like an overly complicated example written in Ruby:

• https://gist.github.com/aseering/829a2270b72345a1dc42

Alternatively, take the lazy approach and indiscriminately dump everything. Psuedocode:

if res.headers['WWW-Authenticate'] =~ /\s(TlRM[^\s]+)/
  data = Base64.decode64($1)
  vprint_status data
end

The modules/auxiliary/scanner/http/ntlm_info_enumeration.rb module already contains some parsing:

    vprint_status("Status: #{res.code}")
    if res && res.code == 401 && res['WWW-Authenticate'] && res['WWW-Authenticate'].match(/^NTLM/i)
      hash = res['WWW-Authenticate'].split('NTLM ')[1]
      # Parse out the NTLM and just get the Target Information Data
      target = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_info].value()
      # Retrieve Domain name subblock info
      nb_domain = parse_ntlm_info(target, "\x02\x00", 0)
      # Retrieve Server name subblock info
      nb_name = parse_ntlm_info(target, "\x01\x00", nb_domain[:new_offset])
      # Retrieve DNS domain name subblock info
      dns_domain = parse_ntlm_info(target, "\x04\x00", nb_name[:new_offset])
      # Retrieve DNS server name subblock info
      dns_server = parse_ntlm_info(target, "\x03\x00", dns_domain[:new_offset])

      return {
        :nb_name    => nb_name[:message],
        :nb_domain  => nb_domain[:message],
        :dns_domain => dns_domain[:message],
        :dns_server => dns_server[:message]
      }
    end
  end

  def parse_ntlm_info(message,pattern,offset)
    name_index = message.index(pattern,offset)
    offset = name_index.to_i
    size = message[offset+2].unpack('C').first
    return {
      :message=>message[offset+3,size].gsub(/\0/,''),
      :new_offset => offset + size
    }
  end

However, this module does not support WinRM:

msf6 auxiliary(scanner/http/ntlm_info_enumeration) > set rhosts 172.16.191.211
rhosts => 172.16.191.211
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > set rport 5985
rport => 5985
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > run

[*] Checking 172.16.191.211:5985   URL /aspnet_client/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /Autodiscover/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /exchange/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /ecp/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /EWS/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /Microsoft-Server-ActiveSync/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /OAB/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /PowerShell/
[*] Status: 404
[*] Checking 172.16.191.211:5985   URL /Rpc/
[*] Status: 404
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > set target_uri /wsman
target_uri => /wsman
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > unset TARGET_URIS_FILE 
Unsetting TARGET_URIS_FILE...
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > run

[*] Checking 172.16.191.211:5985   URL /wsman
[*] Status: 405
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > set target_uri /wsman/
target_uri => /wsman/
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > run

[*] Checking 172.16.191.211:5985   URL /wsman/
[*] Status: 405
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/ntlm_info_enumeration) >