Add WinRM#108
Conversation
|
Thanks mate, I'll definitely check this out real soon |
| result = session.smb_session.execute_ps(f"dir {file_path}")[0] | ||
| return ntpath.basename(file_path).lower() in result.lower() or os.path.basename(file_path).lower() in result.lower() | ||
|
|
||
| def open(self, share, path, file, timeout=3): |
There was a problem hiding this comment.
If I understand correctly, this will download the whole lsass dump locally (when used on remote lsass dump)?
There was a problem hiding this comment.
Yes, I did not find a way to implement the file interactions over WinRM because WinRM doesnt have a file handle open/read/close concept since it is basically just a SOAP API for Powershell commands. I download the file to /tmp/ to be able to get a FileObject so I can use open/read/close. If you know a way to implement it properly let me know :)
There was a problem hiding this comment.
Alright, then I think the best approach would be to keep all the WinRM code for command execution, but keep the existing SMB code for file reads.
WinRM is a great alternative for command execution (because most SMB techniques, like creating a service or a scheduled task, are well known by EDRs), but SMB for file reads isn't monitored the same way.
…raction DumpMethod now differs between execution and file interaction so that it is possible to use winrm as execution path but smb as file interaction or vise versa. When execution and file interactions are the same both sessions refer to the same session object.
|
I have changed the DumpMethod to allow for different sessions for execution and file interaction. At first I wanted to add an intelligent session object but this solution would have over complicated the existing code. This now allows to mix and match execution and file interaction sessions. It is also optionally possible to independently set ports and credentials for the different methods for some edge cases where the same user does have access to one service but not the other. |
2 participants
This pull request aims to fix/remediate #78 . I have implemented a winrm Exec class, a WinrmFile class and a WinrmSession class which I designed as drop-in replacements for the already existing smb functionality. Additionally I have changed the console, core and dumpmethod modules to implement the winrm functionality into the program.
I have tested those changes on HTB Academy boxes.