Metasploit-framework: WinRM Authentication Issue (HTTP Error 500)

Created on 28 Aug 2017  路  5Comments  路  Source: rapid7/metasploit-framework

Steps to reproduce

Firing commands using the auxiliary/scanner/winrm/winrm_cmd fails with an HTTP 500.

image

Confirmed WinRM is working correctly using the following commands via meterpreter PowerShell extension:

image

(Yes, routing is setup properly). Victim host is Windows 10. Target is Windows Server 2012 R2. Both NTLM & Kerberos auth options confirmed open.

Wireshark on the victim is revealing interesting data.

Properly working request (from Invoke-Command):

image

Failing request (winrm_cmd):

image

Seems as though the second response of NTLM negotiation is being truncated by metasploit, but not positive.

System stuff

Metasploit version - 4.15.2-dev

I installed Metasploit with:

  • [x] Kali package via apt

OS

What OS are you running Metasploit on? Kali

bug
Source
picture curi0usJack

Most helpful comment

this seems to be unchanged for 2 years now. I stumbled upon the very same problem during a Hackthebox machine (heist) again this year. Are there any plans to support this currently?

A working implementation is provided (in ruby already) by https://github.com/WinRb/WinRM, which works kinda good.

picture AndyXan on 8 Oct 2019
👍3

All 5 comments

I enabled analytical logging on the target and caught the following message:

image

I know I can enable unencrypted messages on the target, but that would be a security downgrade. Any metasploit options to do this that I'm not seeing?

curi0usJack picture curi0usJack on 29 Aug 2017

What's the crypto scheme they use? A few are implemented in Rex and ruby-smb... Maybe we can port em if missing from winrm.
Ping @dmaloney-r7

sempervictus picture sempervictus on 4 Sep 2017

The current WinRM implementation in Metasploit does not support encrypted communication or kerberos.

thelightcosine picture thelightcosine on 5 Sep 2017

this seems to be unchanged for 2 years now. I stumbled upon the very same problem during a Hackthebox machine (heist) again this year. Are there any plans to support this currently?

A working implementation is provided (in ruby already) by https://github.com/WinRb/WinRM, which works kinda good.

AndyXan picture AndyXan on 8 Oct 2019
👍3

Same problem here with a different Hackthebox machine.
It worked perfectly with evil-winrm coded also in Ruby:
https://github.com/Hackplayers/evil-winrm

0ca picture 0ca on 12 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

handsomebeast picture handsomebeast  路  3Comments
Funeoz picture Funeoz  路  3Comments
wvu-r7 picture wvu-r7  路  3Comments
felipee07 picture felipee07  路  3Comments
Sonya2010 picture Sonya2010  路  3Comments