Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auxiliary/scanner/winrm/winrm_cmd: WinRM Authentication Issue (HTTP Error 500) #8900

Closed
1 task done
curi0usJack opened this issue Aug 28, 2017 · 12 comments
Closed
1 task done

auxiliary/scanner/winrm/winrm_cmd: WinRM Authentication Issue (HTTP Error 500) #8900

curi0usJack opened this issue Aug 28, 2017 · 12 comments
Labels
bug not-stale Label to stop an issue from being auto closed

Comments

@curi0usJack
Copy link

curi0usJack commented Aug 28, 2017
edited
Loading

Steps to reproduce

Firing commands using the auxiliary/scanner/winrm/winrm_cmd fails with an HTTP 500.

image

Confirmed WinRM is working correctly using the following commands via meterpreter PowerShell extension:

image

(Yes, routing is setup properly). Victim host is Windows 10. Target is Windows Server 2012 R2. Both NTLM & Kerberos auth options confirmed open.

Wireshark on the victim is revealing interesting data.

Properly working request (from Invoke-Command):

image

Failing request (winrm_cmd):

image

Seems as though the second response of NTLM negotiation is being truncated by metasploit, but not positive.

System stuff

Metasploit version - 4.15.2-dev

I installed Metasploit with:

  • Kali package via apt

OS

What OS are you running Metasploit on? Kali
@busterb busterb added the bug label Aug 29, 2017
@curi0usJack
Copy link
Author

I enabled analytical logging on the target and caught the following message:

image

I know I can enable unencrypted messages on the target, but that would be a security downgrade. Any metasploit options to do this that I'm not seeing?

@sempervictus
Copy link
Contributor

What's the crypto scheme they use? A few are implemented in Rex and ruby-smb... Maybe we can port em if missing from winrm.
Ping @dmaloney-r7

@thelightcosine
Copy link

The current WinRM implementation in Metasploit does not support encrypted communication or kerberos.

@AndyXan
Copy link

AndyXan commented Oct 8, 2019

this seems to be unchanged for 2 years now. I stumbled upon the very same problem during a Hackthebox machine (heist) again this year. Are there any plans to support this currently?

A working implementation is provided (in ruby already) by https://github.com/WinRb/WinRM, which works kinda good.

@0ca
Copy link

0ca commented Feb 12, 2020

Same problem here with a different Hackthebox machine.
It worked perfectly with evil-winrm coded also in Ruby:
https://github.com/Hackplayers/evil-winrm

@github-actions
Copy link

github-actions bot commented Jan 5, 2021

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label Jan 5, 2021
@dwelch-r7 dwelch-r7 added not-stale Label to stop an issue from being auto closed and removed Stale Marks an issue as stale, to be closed if no action is taken not-stale Label to stop an issue from being auto closed labels Jan 5, 2021
@dwelch-r7
Copy link
Contributor

dwelch-r7 commented Jan 5, 2021
edited
Loading

This might be fixed in the latest release by this PR: #13974

@0ca you mentioned a box other than "heist" would you mind confirming if it's fixed for you too? and if you could let us know the box name too thanks!

@github-actions
Copy link

github-actions bot commented Feb 5, 2021

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label Feb 5, 2021
@bcoles
Copy link
Contributor

bcoles commented Feb 24, 2021

This might be fixed in the latest release by this PR: #13974

@0ca you mentioned a box other than "heist" would you mind confirming if it's fixed for you too? and if you could let us know the box name too thanks!

I can still reproduce this error on Windows Server 2012 R2 (once remote management has been enabled with Enable-PSRemoting -force).

  • auxiliary/scanner/winrm/winrm_login works
  • auxiliary/scanner/winrm/winrm_cmd returns a 500 error
  • exploit/windows/winrm/winrm_script_exec returns a login failure (the 500 error server response is hidden from output)

Tested with set rport 5985 and set ssl false (defaults).

@bcoles
Copy link
Contributor

bcoles commented Feb 24, 2021
edited
Loading

Allowing unencrypted communications allowed auxiliary/scanner/winrm/winrm_cmd to work as expected:

winrm set winrm/config/service @{AllowUnencrypted="true"}

msf6 auxiliary(scanner/winrm/winrm_cmd) > set cmd whoami
cmd => whoami
msf6 auxiliary(scanner/winrm/winrm_cmd) > run

[+] 172.16.191.211:5985  : win-jq2r6m6po5e\user

[+] Results saved to /root/.msf4/loot/20210223231611_default_172.16.191.211_winrm.cmd_result_012967.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/winrm/winrm_cmd) >

Although exploit/windows/winrm/winrm_script_exec crashes for a different reason (#11456 (comment)):

msf6 exploit(windows/winrm/winrm_script_exec) > git diff modules/exploits/windows/winrm/winrm_script_exec.rb
[*] exec: git diff modules/exploits/windows/winrm/winrm_script_exec.rb

diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb
index 6f280b9d45..1025c409c9 100644
--- a/modules/exploits/windows/winrm/winrm_script_exec.rb
+++ b/modules/exploits/windows/winrm/winrm_script_exec.rb
@@ -229,6 +229,7 @@ class MetasploitModule < Msf::Exploit::Remote
   def valid_login?
     data = winrm_wql_msg("Select Name,Status from Win32_Service")
     resp = send_winrm_request(data)
+    puts resp.inspect
     unless resp.code == 200
       return false
     end
msf6 exploit(windows/winrm/winrm_script_exec) > rexploit 
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.191.192:4444 
#<Rex::Proto::Http::Response:0x000055cb2ef8b278 @headers={"Content-Type"=>"application/soap+xml;charset=UTF-8", "Server"=>"Microsoft-HTTPAPI/2.0", "Date"=>"Wed, 24 Feb 2021 04:14:26 GMT", "Content-Length"=>"1001"}, @auto_cl=true, @state=3, @transfer_chunked=false, @inside_chunk=false, @bufq="", @body="<s:Envelope xml:lang=\"en-US\" xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/enumeration/EnumerateResponse</a:Action><a:MessageID>uuid:08BB7B6D-50D5-4BBA-8110-503465919754</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:cda946d0-7afc-425a-9fa3-e7f2dd3a6734</a:RelatesTo></s:Header><s:Body><n:EnumerateResponse><n:EnumerationContext>uuid:7C1E32AC-2F95-418E-931A-CD37A5928FBD</n:EnumerationContext><w:Items><w:XmlFragment xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:m=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\"><Name>AeLookupSvc</Name><Status>OK</Status></w:XmlFragment></w:Items></n:EnumerateResponse></s:Body></s:Envelope>", @code=200, @message="", @proto="1.1", @chunk_min_size=1, @chunk_max_size=10, @count_100=0, @max_data=1048576, @body_bytes_left=0, @request="POST /wsman HTTP/1.1\r\nHost: 172.16.191.211:5985\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nAuthorization: Negotiate TlRMTVNTUAADAAAAGAAYAEAAAADIAMgAWAAAABYAFgAgAQAACAAIADYBAAAQABAAPgEAABAAEABOAQAANYII4Hzd5dtnWOKqgoUtgP+7FW1JxHI1tCoYIGclJoiZ2pOLmBgyPX94UlcBAQAAAAAAAICOs5JjCtcBScRyNbQqGCAAAAAAAgAeAFcASQBOAC0ASgBRADIAUgA2AE0ANgBQAE8ANQBFAAEAHgBXAEkATgAtAEoAUQAyAFIANgBNADYAUABPADUARQAEAB4AVwBJAE4ALQBKAFEAMgBSADYATQA2AFAATwA1AEUAAwAeAFcASQBOAC0ASgBRADIAUgA2AE0ANgBQAE8ANQBFAAcACADEjEmKYwrXAQAAAAAAAAAAVwBPAFIASwBTAFQAQQBUAEkATwBOAHUAcwBlAHIAVABJAEMAYQBRAGYAcABCAPvZIow+i03h/Sm4o2mIVZw=\r\nContent-Type: application/soap+xml;charset=UTF-8\r\nContent-Length: 1854\r\n\r\n\n      <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n      <env:Envelope xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:b=\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\"\n      xmlns:cfg=\"http://schemas.microsoft.com/wbem/wsman/1/config\" xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\"\n      xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\"\n      xmlns:rsp=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\"\n      xmlns:x=\"http://schemas.xmlsoap.org/ws/2004/09/transfer\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n      xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> \n      <env:Header>\n      <a:To>http://172.16.191.211:5985</a:To>\n      <a:ReplyTo>\n        <a:Address mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n      </a:ReplyTo>\n      <w:MaxEnvelopeSize mustUnderstand=\"true\">153600</w:MaxEnvelopeSize>\n      <a:MessageID>uuid:cda946d0-7afc-425a-9fa3-e7f2dd3a6734</a:MessageID>\n      <w:Locale mustUnderstand=\"false\" xml:lang=\"en-US\"/>\n      <p:DataLocale mustUnderstand=\"false\" xml:lang=\"en-US\"/>\n      <w:OperationTimeout>PT60S</w:OperationTimeout>\n      <w:ResourceURI mustUnderstand=\"true\">http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/*</w:ResourceURI>\n      <a:Action mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate</a:Action>\n    </env:Header>\n    \n        <env:Body>\n        <n:Enumerate>\n          <w:OptimizeEnumeration xsi:nil=\"true\"/>\n          <w:MaxElements>32000</w:MaxElements>\n          <w:Filter Dialect=\"http://schemas.microsoft.com/wbem/wsman/1/WQL\">Select Name,Status from Win32_Service</w:Filter>\n        </n:Enumerate>\n      </env:Body>\n    </env:Envelope>\n    ", @peerinfo={"addr"=>"172.16.191.211", "port"=>5985}>
[*] checking for Powershell 2.0
[-] Exploit failed: RuntimeError [BUG] Unexpected node test: <:child>: <[:qname, "w", "Items"]>
[*] Exploit completed, but no session was created.
msf6 exploit(windows/winrm/winrm_script_exec) >

@bcoles bcoles added not-stale Label to stop an issue from being auto closed and removed Stale Marks an issue as stale, to be closed if no action is taken labels Feb 24, 2021
@bcoles bcoles changed the title WinRM Authentication Issue (HTTP Error 500) auxiliary/scanner/winrm/winrm_cmd: WinRM Authentication Issue (HTTP Error 500) Feb 24, 2021
@digininja
Copy link
Contributor

I've just come across this as well. Setting FORCE_VBS true allowed the exploit to work for me.

Not a fix for the actual problem, but a possible workaround for anyone else wanting to use this.

@bcoles bcoles mentioned this issue Sep 1, 2021
Merged
7 tasks
@smashery
Copy link
Contributor

This was resolved by #15632, as encrypted comms was implemented with that.

Replicating immediately before this PR (commit a1eef6a):

msf6 auxiliary(scanner/winrm/winrm_cmd) > run rhosts=192.168.20.210 username=Administrator password=Password123! domain=pod8

[-] Got unexpected response: 
 HTTP/1.1 500
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 29 Nov 2022 15:35:53 GMT
Connection: close

Fixed after the merge (commit ca6f957):

msf6 auxiliary(scanner/winrm/winrm_cmd) > run rhosts=192.168.20.210 username=Administrator password=Password123! domain=pod8 cmd=whoami

pod8\administrator
[+] Results saved to /home/smash/.msf4/loot/20221130133759_default_192.168.20.210_winrm.cmd_result_936840.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug not-stale Label to stop an issue from being auto closed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@digininja @bcoles @thelightcosine @sempervictus @busterb @0ca @curi0usJack @smashery @AndyXan @dwelch-r7