From ef53ebb01dbe4d3375279c475a1e8b22b1cfa5a3 Mon Sep 17 00:00:00 2001
From: Tib3rius <48113936+Tib3rius@users.noreply.github.com>
Date: Sun, 7 Aug 2022 14:10:31 -0400
Subject: [PATCH] Updated requirements and added check for WinRM

Since Nmap reports WinRM as HTTP, the port scan plugins now do a few additional checks on ports 5985 and 5986 to avoid running needless HTTP plugins if the services are just WinRM.

Updated the project dependencies to match.
---
 autorecon/default-plugins/portscan-all-tcp-ports.py | 13 ++++++++++++-
 autorecon/default-plugins/portscan-top-tcp-ports.py | 12 ++++++++++++
 pyproject.toml                                      |  6 ++++--
 requirements.txt                                    |  2 ++
 4 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/autorecon/default-plugins/portscan-all-tcp-ports.py b/autorecon/default-plugins/portscan-all-tcp-ports.py
index 5904e09..c6dc70e 100644
--- a/autorecon/default-plugins/portscan-all-tcp-ports.py
+++ b/autorecon/default-plugins/portscan-all-tcp-ports.py
@@ -1,6 +1,6 @@
 from autorecon.plugins import PortScan
 from autorecon.config import config
-import re
+import re, requests
 
 class AllTCPPortScan(PortScan):
 
@@ -33,7 +33,18 @@ async def run(self, target):
 				if match:
 					target.info('Discovered open port {bmagenta}tcp/' + match.group(1) + '{rst} on {byellow}' + target.address + '{rst}', verbosity=1)
 				service = target.extract_service(line)
+
 				if service:
+					# Check if HTTP service appears to be WinRM. If so, override service name as wsman.
+					if service.name == 'http' and service.port in [5985, 5986]:
+						wsman = requests.get(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+						if wsman.status_code == 405:
+							service.name = 'wsman'
+							wsman = requests.post(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+						else:
+							if wsman.status_code == 401:
+								service.name = 'wsman'
+
 					services.append(service)
 			else:
 				break
diff --git a/autorecon/default-plugins/portscan-top-tcp-ports.py b/autorecon/default-plugins/portscan-top-tcp-ports.py
index 18bad23..d2185aa 100644
--- a/autorecon/default-plugins/portscan-top-tcp-ports.py
+++ b/autorecon/default-plugins/portscan-top-tcp-ports.py
@@ -22,5 +22,17 @@ async def run(self, target):
 
 		process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all' + traceroute_os + ' -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False)
 		services = await target.extract_services(stdout)
+
+		for service in services:
+			# Check if HTTP service appears to be WinRM. If so, override service name as wsman.
+			if service.name == 'http' and service.port in [5985, 5986]:
+				wsman = requests.get(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+				if wsman.status_code == 405:
+					service.name = 'wsman'
+					wsman = requests.post(('https' if service.secure else 'http') + '://' + target.address + ':' + str(service.port) + '/wsman', verify=False)
+				else:
+					if wsman.status_code == 401:
+						service.name = 'wsman'
+
 		await process.wait()
 		return services
diff --git a/pyproject.toml b/pyproject.toml
index 02cb1f7..269c291 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -10,9 +10,11 @@ packages = [
 ]
 
 [tool.poetry.dependencies]
-python = "^3.7"
+python = "^3.8"
 appdirs = "^1.4.4"
-colorama = "^0.4.4"
+colorama = "^0.4.5"
+impacket = "^0.10.0"
+requests = "^2.28.1"
 toml = "^0.10.2"
 Unidecode = "^1.3.1"
 
diff --git a/requirements.txt b/requirements.txt
index 6a3fb1a..52563e4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,6 @@
 appdirs
 colorama
+impacket
+requests
 toml
 unidecode