Web Services Management (WS-Man) / Windows Remote Management (WinRM) Detection (HTTP)

2014-03-1900:00:00
plugins.openvas.org
491
JSON
HTTP based detection of Web Services Management (WS-Man) /
Windows Remote Management (WinRM).
# SPDX-FileCopyrightText: 2014 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103923");
  script_version("2023-10-11T05:05:54+0000");
  script_tag(name:"last_modification", value:"2023-10-11 05:05:54 +0000 (Wed, 11 Oct 2023)");
  script_tag(name:"creation_date", value:"2014-03-19 12:39:47 +0100 (Wed, 19 Mar 2014)");
  script_tag(name:"cvss_base", value:"0.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");

  script_tag(name:"qod_type", value:"remote_banner");

  script_name("Web Services Management (WS-Man) / Windows Remote Management (WinRM) Detection (HTTP)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2014 Greenbone AG");
  script_family("Service detection");
  script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 5985);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_tag(name:"summary", value:"HTTP based detection of Web Services Management (WS-Man) /
  Windows Remote Management (WinRM).");

  script_xref(name:"URL", value:"https://www.dmtf.org/standards/ws-man");
  script_xref(name:"URL", value:"https://learn.microsoft.com/en-us/windows/win32/winrm/portal");

  exit(0);
}

include("byte_func.inc");
include("cpe.inc");
include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");
include("os_func.inc");
include("port_service_func.inc");

port = http_get_port(default: 5985);

banner = http_get_remote_headers(port: port);

if (!banner || banner !~ "HTTP/(2|1\.[01]) (404|405|501)")
  exit(0);

headers = make_array("Content-Type", "application/soap+xml;charset=UTF-8",
                     "WSMANIDENTIFY", "unauthenticated");

data = '<?xml version="1.0" encoding="UTF-8"?>\n' +
       '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" ' +
       'xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd">' +
       '<s:Header/><s:Body><wsmid:Identify/></s:Body></s:Envelope>';

foreach url (make_list("/wsman-anon", "/wsman")) {
  req = http_post_put_req(port: port, url: url, data: data, add_headers: headers);
  res = http_keepalive_send_recv(port: port, data: req, fetch404: TRUE);

  if (res =~ 'Basic\\s*realm="OPENWSMAN"' || "<wsmid:IdentifyResponse" >< res) {
    set_kb_item(name: "wsman/detected", value: TRUE);
    set_kb_item(name: "wsman/http/detected", value: TRUE);

    service_register(port: port, proto: "wsman");

    report = "A WS-Man service is running at this port.";

    if ("<wsmid:IdentifyResponse" >< res) {
      set_kb_item(name: "winrm/detected", value: TRUE);
      set_kb_item(name: "winrm/http/detected", value: TRUE);
      service_register(port: port, proto: "winrm");

      report += '\n\nThe service supports Windows Remote Management (WinRM).';

      # <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Header/><s:Body><wsmid:IdentifyResponse xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Microsoft Corporation</wsmid:ProductVendor><wsmid:ProductVersion>OS: 0.0.0 SP: 0.0 Stack: 3.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>
      vend = eregmatch(pattern: "<wsmid:ProductVendor>([^<]+)", string: res);
      if (!isnull(vend[1]))
        vendor = vend[1];

      vers = eregmatch(pattern: "<wsmid:ProductVersion>([^<]+)", string: res);
      if (!isnull(vers[1]))
        version = vers[1];

      if (vendor || version) {
        report += '\n\nThe following information was extracted:\n';
        if (vendor)
          report += "  Product Vendor: " + vendor + '\n';
        if (version)
          report += "  Product Version: " + version + '\n';
      }

      headers = make_array("Authorization", "Negotiate TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==",
                           "Content-Type", "application/soap+xml;charset=UTF-8",
                           "Content-Length", 0); # nb: Content-Length is needed
      data = "";

      req = http_post_put_req(port: port, url: url, data: data, add_headers: headers);
      res = http_keepalive_send_recv(port: port, data: req);

      ntlm = eregmatch(pattern: 'Negotiate (TlRMTVNT[^\n\r]+)', string: res, icase: FALSE);
      if (!isnull(ntlm[1]) && strlen(ntlm[1]) >= 52) {
        ntlm = base64_decode(str: ntlm[1]);
        version_bytes = substr(ntlm, 48, 52);
        os_version = ord(version_bytes[0]) + "." + ord(version_bytes[1]) + "." +
                       getword(blob: version_bytes, pos: 2);

        report += '\nThe following information was extracted from the NTLM challenge:\n';
        report += "  OS Version: " + os_version;
      }

      os_cpe = build_cpe(value: os_version, exp: "^([0-9.]+)", base: "cpe:/o:microsoft:windows:");
      if (!os_cpe)
        os_cpe = "cpe:/o:microsoft:windows";

      os_register_and_report(os: "Microsoft Windows", cpe: os_cpe, port: port, runs_key: "windows",
                             desc: "Web Services Management (WS-Man) / Windows Remote Management (WinRM) Detection (HTTP)");
    }

    report += '\n\nConcluded from version/product identification location: ' +
              http_report_vuln_url(port: port, url: url, url_only: TRUE);

    log_message(port: port, data: chomp(report));
    exit(0);
  }
}

exit(0);
References

learn.microsoft.com/en-us/windows/win32/winrm/portal
www.dmtf.org/standards/ws-man
JSON