Updated requirements and added check for WinRM

Since Nmap reports WinRM as HTTP, the port scan plugins now do a few additional checks on ports 5985 and 5986 to avoid running needless HTTP plugins if the services are just WinRM. Updated the project dependencies to match.
personaone · Aug 7, 2022 · ef53ebb · ef53ebb
1 parent 28521f6
commit ef53ebb
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 3 deletions.
diff --git a/autorecon/default-plugins/portscan-all-tcp-ports.py b/autorecon/default-plugins/portscan-all-tcp-ports.py
@@ -1,6 +1,6 @@
 from autorecon.plugins import PortScan
 from autorecon.config import config
-import re
+import re, requests
 
 class AllTCPPortScan(PortScan):
 
@@ -33,7 +33,18 @@ async def run(self, target):
 				if match:
 					target.info('Discovered open port {bmagenta}tcp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
 				service = target.extract_service(line)
+
 				if service:
+					# Check if HTTP service appears to be WinRM. If so, override service name as wsman.
+					if service.name == 'http' and service.port in [5985, 5986]:
+						wsman = requests.get(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+						if wsman.status_code == 405:
+							service.name = 'wsman'
+							wsman = requests.post(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+						else:
+							if wsman.status_code == 401:
+								service.name = 'wsman'
+
 					services.append(service)
 			else:
 				break

diff --git a/autorecon/default-plugins/portscan-top-tcp-ports.py b/autorecon/default-plugins/portscan-top-tcp-ports.py
@@ -22,5 +22,17 @@ async def run(self, target):
 
 		process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False)
 		services = await target.extract_services(stdout)
+
+		for service in services:
+			# Check if HTTP service appears to be WinRM. If so, override service name as wsman.
+			if service.name == 'http' and service.port in [5985, 5986]:
+				wsman = requests.get(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+				if wsman.status_code == 405:
+					service.name = 'wsman'
+					wsman = requests.post(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+				else:
+					if wsman.status_code == 401:
+						service.name = 'wsman'
+
 		await process.wait()
 		return services
diff --git a/pyproject.toml b/pyproject.toml
@@ -10,9 +10,11 @@ packages = [
 ]
 
 [tool.poetry.dependencies]
-python = "^3.7"
+python = "^3.8"
 appdirs = "^1.4.4"
-colorama = "^0.4.4"
+colorama = "^0.4.5"
+impacket = "^0.10.0"
+requests = "^2.28.1"
 toml = "^0.10.2"
 Unidecode = "^1.3.1"
 

diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,6 @@
 appdirs
 colorama
+impacket
+requests
 toml
 unidecode