Fixing issue in ntlmrelayx winrmattack & winrm/s relay servers (#2050)

gabrielg5 · web-flow · commit 62e2a9aca61e · 2025-09-30T17:27:08.000-03:00
* Fixing issue in ntlmrelayx winrmsattack - Fixed constructor signature

* Adding ipv6 support to winrm/s relay servers

* Adding enhanced logging support to winrm/s relay servers

* Standardizing winrm relay servers log prefix

* Standardizing winrm relay servers ntlmrelayx logging enhancements

* Setting prefix to some winrm/s log messages that missed it
diff --git a/impacket/examples/ntlmrelayx/attacks/winrmattack.py b/impacket/examples/ntlmrelayx/attacks/winrmattack.py
@@ -249,8 +249,8 @@ def do_EOF(self, line):
 class WINRMAttack(ProtocolAttack):
     PLUGIN_NAMES = ["WINRMS"]
 
-    def __init__(self, config, WINRMClient, username):
-        ProtocolAttack.__init__(self, config, WINRMClient, username)
+    def __init__(self, config, WINRMClient, username, target=None, relay_client=None):
+        ProtocolAttack.__init__(self, config, WINRMClient, username, target, relay_client)
         self.tcp_shell = TcpShell()
 
     def run(self):
diff --git a/impacket/examples/ntlmrelayx/servers/winrmrelayserver.py b/impacket/examples/ntlmrelayx/servers/winrmrelayserver.py
@@ -30,15 +30,15 @@
 from impacket.nt_errors import STATUS_ACCESS_DENIED, STATUS_SUCCESS
 from impacket.examples.ntlmrelayx.utils.targetsutils import TargetsProcessor
 from impacket.examples.ntlmrelayx.servers.socksserver import activeConnections
+from impacket.examples.utils import get_address
 
 class WinRMRelayServer(Thread):
 
     class HTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
         def __init__(self, server_address, RequestHandlerClass, config):
             self.config = config
             self.daemon_threads = True
-            if self.config.ipv6:
-                self.address_family = socket.AF_INET6
+            self.address_family, server_address = get_address(server_address[0], server_address[1], self.config.ipv6)
             # Tracks the number of times authentication was prompted for WPAD per client
             self.wpad_counters = {}
             socketserver.TCPServer.allow_reuse_address = True
@@ -70,23 +70,23 @@ def __init__(self,request, client_address, server):
             try:
                 http.server.SimpleHTTPRequestHandler.__init__(self,request, client_address, server)
             except Exception as e:
-                LOG.debug("Exception:", exc_info=True)
-                LOG.error(str(e))
+                LOG.debug("(WinRM): Exception:", exc_info=True)
+                LOG.error("(WinRM): %s" % str(e))
 
         def handle_one_request(self):
             try:
                 http.server.SimpleHTTPRequestHandler.handle_one_request(self)
             except KeyboardInterrupt:
                 raise
             except Exception as e:
-                LOG.debug("WinRM(%s): Exception:" % self.server.server_address[1], exc_info=True)
+                LOG.debug("(WinRM): Exception:", exc_info=True)
 
         def log_message(self, format, *args):
             return
 
         def send_error(self, code, message=None):
             if message.find('RPC_OUT') >=0 or message.find('RPC_IN'):
-                LOG.info('WinRM(%s): send_error path: %s' % (self.server.server_address[1], self.path.lower()))
+                LOG.info('(WinRM): send_error path: %s' % self.path.lower())
                 return self.do_GET()
             return http.server.SimpleHTTPRequestHandler.send_error(self,code,message)
 
@@ -167,7 +167,7 @@ def strip_blob(self, proxy):
                         _, blob = typeX.split('Negotiate')
                     token = base64.b64decode(blob.strip())
                 except Exception:
-                    LOG.debug("Exception:", exc_info=True)
+                    LOG.debug("(WinRM): Exception:", exc_info=True)
                     self.do_AUTHHEAD(message = b'NTLM', proxy=proxy)
                 else:
                     messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0]
@@ -259,7 +259,7 @@ def do_GETPOST(self):
                 content_length = int(self.headers.get('Content-Length', 0))
                 self.rfile.read(content_length)
             else:
-                LOG.info('WinRM(%s): Client requested path: %s' % (self.server.server_address[1], self.path.lower()))
+                LOG.info('(WinRM): Client requested path: %s' % self.path.lower())
                 self.send_not_found()
                 return
 
@@ -306,7 +306,7 @@ def do_ntlm_negotiate(self, token, proxy):
                 if self.challengeMessage is False:
                     return False
             else:
-                LOG.error('Protocol Client for %s not found!' % self.target.scheme.upper())
+                LOG.error('(WinRM): Protocol Client for %s not found!' % self.target.scheme.upper())
                 return False
 
             # Calculate auth
@@ -365,7 +365,7 @@ def do_local_auth(self, messageType, token, proxy):
             elif messageType == 3:
                 authenticateMessage = ntlm.NTLMAuthChallengeResponse()
                 authenticateMessage.fromString(token)
-                LOG.info(authenticateMessage)
+                LOG.info("(WinRM): %s" % authenticateMessage)
                 if authenticateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE:
                     self.authUser = ('%s/%s' % (authenticateMessage['domain_name'].decode('utf-16le'),
                                                 authenticateMessage['user_name'].decode('utf-16le'))).upper()
@@ -375,13 +375,11 @@ def do_local_auth(self, messageType, token, proxy):
 
                 self.target = self.server.config.target.getTarget(identity = self.authUser)
                 if self.target is None:
-                    LOG.info("WinRM(%s): Connection from %s@%s controlled, but there are no more targets left!" %
-                        (self.server.server_address[1], self.authUser, self.client_address[0]))
+                    LOG.info("(WinRM): Connection from %s@%s controlled, but there are no more targets left!" % (self.authUser, self.client_address[0]))
                     self.send_not_found()
                     return
 
-                LOG.info("WinRM(%s): Connection from %s@%s controlled, attacking target %s://%s" % (self.server.server_address[1],
-                    self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
+                LOG.info("(WinRM): Connection from %s@%s controlled, attacking target %s://%s" % (self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
 
                 self.relayToHost = True
                 self.do_REDIRECT()
@@ -391,35 +389,29 @@ def do_relay(self, messageType, token, proxy, content = None):
                 if self.server.config.disableMulti:
                     self.target = self.server.config.target.getTarget(multiRelay=False)
                     if self.target is None:
-                        LOG.info("WinRM(%s): Connection from %s controlled, but there are no more targets left!" % (
-                            self.server.server_address[1], self.client_address[0]))
+                        LOG.info("(WinRM): Connection from %s controlled, but there are no more targets left!" % self.client_address[0])
                         self.send_not_found()
                         return
 
-                    LOG.info("WinRM(%s): Connection from %s controlled, attacking target %s://%s" % (
-                        self.server.server_address[1], self.client_address[0], self.target.scheme, self.target.netloc))
+                    LOG.info("(WinRM): Connection from %s controlled, attacking target %s://%s" % (self.client_address[0], self.target.scheme, self.target.netloc))
 
                 if not self.do_ntlm_negotiate(token, proxy=proxy):
                     # Connection failed
                     if self.server.config.disableMulti:
-                        LOG.error('WinRM(%s): Negotiating NTLM with %s://%s failed' % (self.server.server_address[1],
-                                  self.target.scheme, self.target.netloc))
+                        LOG.error('(WinRM): Negotiating NTLM with %s://%s failed' % (self.target.scheme, self.target.netloc))
                         self.send_not_found()
                         return
                     else:
-                        LOG.error('WinRM(%s): Negotiating NTLM with %s://%s failed. Skipping to next target' % (
-                            self.server.server_address[1], self.target.scheme, self.target.netloc))
+                        LOG.error('(WinRM): Negotiating NTLM with %s://%s failed. Skipping to next target' % (self.target.scheme, self.target.netloc))
 
                         self.target = self.server.config.target.getTarget(identity=self.authUser)
 
                         if self.target is None:
-                            LOG.info( "WinRM(%s): Connection from %s@%s controlled, but there are no more targets left!" %
-                                (self.server.server_address[1], self.authUser, self.client_address[0]))
+                            LOG.info("(WinRM): Connection from %s@%s controlled, but there are no more targets left!" % (self.authUser, self.client_address[0]))
                             self.send_not_found()
                             return
 
-                        LOG.info("WinRM(%s): Connection from %s@%s controlled, attacking target %s://%s" % (self.server.server_address[1],
-                            self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
+                        LOG.info("(WinRM): Connection from %s@%s controlled, attacking target %s://%s" % (self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
 
                         self.do_REDIRECT()
 
@@ -438,7 +430,7 @@ def do_relay(self, messageType, token, proxy, content = None):
                     target = '%s://%s@%s' % (self.target.scheme, self.authUser.replace("/", '\\'), self.target.netloc)
 
                 if not self.do_ntlm_auth(token, authenticateMessage):
-                    LOG.error("Authenticating against %s://%s as %s FAILED" % (self.target.scheme, self.target.netloc,
+                    LOG.error("(WinRM): Authenticating against %s://%s as %s FAILED" % (self.target.scheme, self.target.netloc,
                                                                                self.authUser))
                     if self.server.config.disableMulti:
                         self.send_not_found()
@@ -449,22 +441,20 @@ def do_relay(self, messageType, token, proxy, content = None):
                         # No anonymous login, go to next host and avoid triggering a popup
                         self.target = self.server.config.target.getTarget(identity=self.authUser)
                         if self.target is None:
-                            LOG.info("WinRM(%s): Connection from %s@%s controlled, but there are no more targets left!" %
-                                (self.server.server_address[1], self.authUser, self.client_address[0]))
+                            LOG.info("(WinRM): Connection from %s@%s controlled, but there are no more targets left!" % (self.authUser, self.client_address[0]))
                             self.send_not_found()
                             return
 
-                        LOG.info("WinRM(%s): Connection from %s@%s controlled, attacking target %s://%s" % (self.server.server_address[1],
-                            self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
+                        LOG.info("(WinRM): Connection from %s@%s controlled, attacking target %s://%s" % (self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
 
                         self.do_REDIRECT()
                     else:
                         # If it was an anonymous login, send 401
                         self.do_AUTHHEAD(b'Negotiate', proxy=proxy)
                 else:
                     # Relay worked, do whatever we want here...
-                    LOG.info("WinRM(%s): Authenticating against %s://%s as %s SUCCEED" % (self.server.server_address[1],
-                        self.target.scheme, self.target.netloc, self.authUser))
+                    self.client.setClientId()
+                    LOG.info("(WinRM): Authenticating connection from %s@%s against %s://%s SUCCEED [%s]" % (self.authUser, self.client_address[0], self.target.scheme, self.target.netloc, self.client.client_id))
 
                     ntlm_hash_data = outputToJohnFormat(self.challengeMessage['challenge'],
                                                         authenticateMessage['user_name'],
@@ -477,7 +467,7 @@ def do_relay(self, messageType, token, proxy, content = None):
                                               self.server.config.outputFile)
 
                     if self.server.config.dumpHashes is True:
-                        LOG.info(ntlm_hash_data['hash_string'])
+                        LOG.info("(WinRM): %s" % ntlm_hash_data['hash_string'])
 
                     self.do_attack()
 
@@ -493,8 +483,7 @@ def do_relay(self, messageType, token, proxy, content = None):
                         self.target = self.server.config.target.getTarget(identity=self.authUser)
 
                         if self.target is None:
-                            LOG.info("WinRM(%s): Connection from %s@%s controlled, but there are no more targets left!" % (
-                                self.server.server_address[1], self.authUser, self.client_address[0]))
+                            LOG.info("(WinRM): Connection from %s@%s controlled, but there are no more targets left!" % (self.authUser, self.client_address[0]))
 
                             # Return Multi-Status status code to WebDAV servers
                             if self.command == "PROPFIND":
@@ -511,8 +500,7 @@ def do_relay(self, messageType, token, proxy, content = None):
                             return
 
                         # We have the next target, let's keep relaying...
-                        LOG.info("WinRM(%s): Connection from %s@%s controlled, attacking target %s://%s" % (self.server.server_address[1],
-                            self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
+                        LOG.info("(WinRM): Connection from %s@%s controlled, attacking target %s://%s" % (self.authUser, self.client_address[0], self.target.scheme, self.target.netloc))
                         self.do_REDIRECT()
 
         def do_attack(self):
@@ -527,10 +515,10 @@ def do_attack(self):
             if self.target.scheme.upper() in self.server.config.attacks:
                 # We have an attack.. go for it
                 clientThread = self.server.config.attacks[self.target.scheme.upper()](self.server.config, self.client.session,
-                                                                               self.authUser)
+                                                                               self.authUser, self.target, self.client)
                 clientThread.start()
             else:
-                LOG.error('WinRM(%s): No attack configured for %s' % (self.server.server_address[1], self.target.scheme.upper()))
+                LOG.error('(WinRM): No attack configured for %s' % self.target.scheme.upper())
 
     def __init__(self, config):
         Thread.__init__(self)
diff --git a/impacket/examples/ntlmrelayx/servers/winrmsrelayserver.py b/impacket/examples/ntlmrelayx/servers/winrmsrelayserver.py
