Merge pull request #34 from Hackplayers/dev

Dev to master v2.4

Author: OscarAkaElvis

.editorconfig

@@ -0,0 +1,21 @@
+#EditorConfig: http://editorconfig.org
+
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+
+[*.{rb,md}]
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = true
+
+[Gemfile]
+indent_style = space
+indent_size = 4
+
+[Dockerfile]
+indent_style = space
+indent_size = 4

CHANGELOG.md

@@ -1,3 +1,9 @@
+### 2.4
+ - File permission access error now handled in exception to avoid losing connection
+ - Improvements on bundler installation method
+ - Added spn (Service Principal Names) option param for kerberos auth to set some different than default HTTP
+ - Fixed prompt colors (ANSI)
+
 ### 2.3
  - Fixed Invoke-Binary arguments
  - Service function improved, now show privileges over the services
@@ -29,7 +35,7 @@
 ### 1.8
  - Added pass-the-hash feature
  - Added bundler installation method
- 
+
 ### 1.7
  - Added x64 compatibility to use Donut payloads
 

Gemfile.lock

@@ -40,6 +40,3 @@ DEPENDENCIES
   stringio
   winrm
   winrm-fs
-
-BUNDLED WITH
-   2.0.2

README.md

@@ -15,6 +15,9 @@ if you have credentials and permissions to use it. So we can say that it could b
 phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate 
 purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.
 
+It is based mainly in the WinRM Ruby library which changed its way to work since its version 2.0. Now instead of using WinRM 
+protocol, it is using PSRP (Powershell Remoting Protocol) for initializing runspace pools as well as creating and processing pipelines.
+
 ## Features
  - Compatible to Linux and Windows client systems
  - Load in memory Powershell scripts
@@ -36,18 +39,19 @@ purposes by system administrators as well but the most of its features are focus
 
 ## Help
 ```
-Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
+Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX]
     -S, --ssl                        Enable ssl
     -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
     -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
     -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
     -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
+        --spn SPN_PREFIX             SPN prefix for Kerberos auth (default HTTP)
     -e, --executables EXES_PATH      C# executables local path
-    -i, --ip IP                      Remote host IP or hostname (required)
-    -U, --url URL                    Remote url endpoint (default wsman)
+    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required)
+    -U, --url URL                    Remote url endpoint (default /wsman)
     -u, --user USER                  Username (required if not using kerberos)
     -p, --password PASS              Password
-    -H, --hash NTHash                NTHash 
+    -H, --hash HASH                  NTHash
     -P, --port PORT                  Remote host port (default 5985)
     -V, --version                    Show version
     -n, --no-colors                  Disable colors
@@ -73,9 +77,10 @@ For some Linux like Debian based (Kali, Parrot, etc.) it is called `krb5-user`.
  - Step 3. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'`
 
 ### Method 3. Using bundler (dependencies will not be installed on your system, just to use evil-winrm)
- - Step 1. Install bundler: `gem install bundler:2.0.2`
- - Step 2. Install dependencies with bundler: `cd evil-winrm && bundle install --path vendor/bundle`
- - Step 3. Launch it with bundler: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'`
+ - Step 1. Install bundler: `gem install bundler`
+ - Step 2. Clone the repo: `git clone https://github.com/Hackplayers/evil-winrm.git`
+ - Step 3. Install dependencies with bundler: `cd evil-winrm && bundle install --path vendor/bundle`
+ - Step 4. Launch it with bundler: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'`
 
 ### Method 4. Using Docker
  - Step 1. Launch docker container based on already built image: `docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/ps1_scripts/' -e '/exe_files/'`
@@ -221,7 +226,7 @@ Use it at your own servers and/or with the server owner's permission.
 [@_Laox]: https://twitter.com/_Laox
 
 <!-- Badges URLs -->
-[Version-shield]: https://img.shields.io/badge/version-2.3-blue.svg?style=flat-square&colorA=273133&colorB=0093ee "Latest version"
+[Version-shield]: https://img.shields.io/badge/version-2.4-blue.svg?style=flat-square&colorA=273133&colorB=0093ee "Latest version"
 [Ruby2.3-shield]: https://img.shields.io/badge/ruby-2.3%2B-blue.svg?style=flat-square&colorA=273133&colorB=ff0000 "Ruby 2.3 or later"
 [License-shield]: https://img.shields.io/badge/license-LGPL%20v3%2B-blue.svg?style=flat-square&colorA=273133&colorB=bd0000 "LGPL v3+"
 [Docker-shield]: https://img.shields.io/docker/cloud/automated/oscarakaelvis/evil-winrm.svg?style=flat-square&colorA=273133&colorB=a9a9a9 "Docker rules!"

evil-winrm.rb

@@ -17,7 +17,7 @@
 # Constants
 
 # Version
-VERSION = '2.3'
+VERSION = '2.4'
 
 # Msg types
 TYPE_INFO = 0
@@ -46,6 +46,7 @@
 $user = ""
 $password = ""
 $url = "wsman"
+$default_service = "HTTP"
 
 # Redefine download method from winrm-fs
 module WinRM
@@ -85,9 +86,9 @@ class EvilWinRM
 
     # Arguments
     def arguments()
-        options = { port:$port, url:$url }
+        options = { port:$port, url:$url, service:$service }
         optparse = OptionParser.new do |opts|
-            opts.banner = "Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]"
+            opts.banner = "Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX]"
             opts.on("-S", "--ssl", "Enable ssl") do |val|
                 $ssl = true
                 options[:port] = "5986"
@@ -96,10 +97,11 @@ def arguments()
             opts.on("-k", "--priv-key PRIVATE_KEY_PATH", "Local path to private key certificate") { |val| options[:priv_key] = val }
             opts.on("-r", "--realm DOMAIN", "Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }") { |val| options[:realm] = val.upcase }
             opts.on("-s", "--scripts PS_SCRIPTS_PATH", "Powershell scripts local path") { |val| options[:scripts] = val }
+            opts.on("--spn SPN_PREFIX", "SPN prefix for Kerberos auth (default HTTP)") { |val| options[:service] = val }
             opts.on("-e", "--executables EXES_PATH", "C# executables local path") { |val| options[:executables] = val }
             opts.on("-i", "--ip IP", "Remote host IP or hostname. FQDN for Kerberos auth (required)") { |val| options[:ip] = val }
             opts.on("-U", "--url URL", "Remote url endpoint (default /wsman)") { |val| options[:url] = val }
-            opts.on("-u", "--user USER", "Username (required)") { |val| options[:user] = val }
+            opts.on("-u", "--user USER", "Username (required if not using kerberos)") { |val| options[:user] = val }
             opts.on("-p", "--password PASS", "Password") { |val| options[:password] = val }
             opts.on("-H", "--hash HASH", "NTHash") do |val|
                 if !options[:password].nil? and !val.nil?
@@ -163,6 +165,12 @@ def arguments()
         $pub_key = options[:pub_key]
         $priv_key = options[:priv_key]
         $realm = options[:realm]
+        $service = options[:service]
+        if !$realm.nil? then
+            if $service.nil? then
+                $service = $default_service
+            end
+        end
     end
 
     # Print script header
@@ -200,7 +208,8 @@ def connection_initialization()
                 user: "",
                 password: "",
                 transport: :kerberos,
-                realm: $realm
+                realm: $realm,
+                service: $service
             )
         else
             $conn = WinRM::Connection.new(
@@ -225,7 +234,7 @@ def docker_detection()
     def colorize(text, color = "default")
         colors = {"default" => "38", "blue" => "34", "red" => "31", "yellow" => "1;33", "magenta" => "35"}
         color_code = colors[color]
-        return "\033[0;#{color_code}m#{text}\033[0m"
+        return "\001\033[0;#{color_code}m\002#{text}\001\033[0m\002"
     end
 
     # Messsage printing
@@ -393,6 +402,10 @@ def main
             self.print_message("Password is not needed for Kerberos auth. Ticket will be used", TYPE_WARNING)
         end
 
+        if $realm.nil? and !$service.nil? then
+            self.print_message("Useless spn provided, only used for Kerberos auth", TYPE_WARNING)
+        end
+
         if !$scripts_path.nil? then
             self.check_directories($scripts_path, "scripts")
             functions = self.read_scripts($scripts_path)
@@ -412,7 +425,7 @@ def main
               when Readline.line_buffer =~ /help.*/i
                 puts("#{$LIST.join("\t")}")
               when Readline.line_buffer =~ /\[.*/i
-                $LISTASSEM.grep( /^#{Regexp.escape(str)}/i ) unless str.nil?              
+                $LISTASSEM.grep( /^#{Regexp.escape(str)}/i ) unless str.nil?
               when Readline.line_buffer =~ /Invoke-Binary.*/i
                 executables.grep( /^#{Regexp.escape(str)}/i ) unless str.nil?
               when Readline.line_buffer =~ /donutfile.*/i
@@ -590,6 +603,10 @@ def main
                             STDERR.print(stderr)
                         end
                     end
+                rescue Errno::EACCES => ex
+                    puts()
+                    self.print_message("An error of type #{ex.class} happened, message is #{ex.message}", TYPE_ERROR)
+                    retry
                 rescue Interrupt
                     puts("\n\n")
                     self.print_message("Press \"y\" to exit, press any other key to continue", TYPE_WARNING)