33 lines
1.5 KiB
Python
33 lines
1.5 KiB
Python
from autorecon.plugins import ServiceScan
|
|
from autorecon.io import fformat
|
|
|
|
class WinRMDetection(ServiceScan):
|
|
|
|
def __init__(self):
|
|
super().__init__()
|
|
self.name = 'WinRM Detection'
|
|
self.tags = ['default', 'safe', 'winrm']
|
|
|
|
def configure(self):
|
|
self.match_service_name('^wsman')
|
|
self.match_service('tcp', [5985, 5986], '^http')
|
|
|
|
async def run(self, service):
|
|
filename = fformat('{scandir}/{protocol}_{port}_winrm-detection.txt')
|
|
with open(filename, mode='wt', encoding='utf8') as winrm:
|
|
winrm.write('WinRM was possibly detected running on ' + service.protocol + ' port ' + str(service.port) + '.\nCheck _manual_commands.txt for manual commands you can run against this service.')
|
|
|
|
def manual(self, service, plugin_was_run):
|
|
service.add_manual_commands('Bruteforce logins:', [
|
|
'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u ' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + ' -p ' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt')
|
|
])
|
|
|
|
service.add_manual_commands('Check login (requires credentials):', [
|
|
'crackmapexec winrm {address} -d ' + self.get_global('domain', default='<domain>') + ' -u <username> -p <password> -x "whoami"'
|
|
])
|
|
|
|
service.add_manual_commands('Evil WinRM (gem install evil-winrm):', [
|
|
'evil-winrm -u <user> -p <password> -i {address}',
|
|
'evil-winrm -u <user> -H <hash> -i {address}'
|
|
])
|