WinRM with Kerberos doesn't work #20588
Description
Steps to reproduce
I tried to connect with winRM using kerberos authentication, doing the following:
msf auxiliary(scanner/winrm/winrm_login) > use auxiliary/scanner/winrm/winrm_login
msf auxiliary(scanner/winrm/winrm_login) > run rhost=10.10.10.10 username=john password=p@ss winrm::auth=kerberos domaincontrollerrhost=10.10.10.10 winrm::rhostname=dc01.test.corp domain=test.corp
Were you following a specific guide/tutorial or reading documentation?
https://docs.metasploit.com/docs/pentesting/metasploit-guide-winrm.html#kerberos-authentication
Expected behavior
This should have got me a session like in the guide attached above.
Current behavior
But I had the following error output:
[+] 10.10.11.78:88 - Received a valid TGT-Response
[*] 10.10.11.78:5985 - TGT MIT Credential Cache ticket saved to /home/silver/.msf4/loot/20251005213427_default_10.10.11.78_mit.kerberos.cca_296558.bin
[+] 10.10.11.78:88 - Received a valid TGS-Response
[*] 10.10.11.78:5985 - TGS MIT Credential Cache ticket saved to /home/silver/.msf4/loot/20251005213429_default_10.10.11.78_mit.kerberos.cca_040298.bin
[+] 10.10.11.78:88 - Received a valid delegation TGS-Response
[+] 10.10.11.78:88 - Received AP-REQ. Extracting session key...
[!] No active DB -- Credential data will not be saved!
[+] 10.10.11.78:5985 - Login Successful: test.corp\john:p@ass
/opt/metasploit-framework/embedded/lib/ruby/gems/3.4.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
/opt/metasploit-framework/embedded/lib/ruby/gems/3.4.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
/opt/metasploit-framework/embedded/lib/ruby/gems/3.4.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
[!] 10.10.11.78:5985 - LOGIN FAILED: {private_data: "p@ss", private_type: :password, username: "john", realm_key: "Active Directory Domain", realm_value: "test.corp"} - Unhandled error - scan may not produce correct results: [WSMAN ERROR CODE: 5]: <f:WSManFault Code='5' Machine='10.10.11.78' xmlns:f='http://schemas.microsoft.com/wbem/wsman/1/wsmanfault'><f:Message>Access is denied. </f:Message></f:WSManFault> - [...]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
There was already an issue closed about this error but maybe the current use case wasn't part of what they tested:
#8900
Metasploit version
amework: 6.4.91-dev-
Console : 6.4.91-dev-
If the issue is encountered within msfconsole, please run the debug command using the instructions below. If the issue is encountered outisde msfconsole, or the issue causes msfconsole to crash on startup, please delete this section.
- Start
msfconsole - Run the command
set loglevel 3 - Take the steps necessary recreate your issue
- Run the
debugcommand - Copy all the output below the
===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===line and make sure to REMOVE ANY SENSITIVE INFORMATION. - Replace these instructions and the paragraph above with the output from step 5.