WinRM AWS connectivity issue

Question

WinRM AWS connectivity issue

neokjames opened this issue a year ago · 12 comments

After working around a few of the other issues I've encountered during build, there appears to be another issue whereby the WinRM never successfully connects.

Using Ubuntu via WSL, latest codebase, trying to deploy to AWS

Seems to just continuously try to connect via WinRM but is never successful.

I've confirmed TCP 5985 is permitted on the Security Group as well.

module.windows-server.aws_instance.windows_server[0]: Still creating... [4m30s elapsed]
module.windows-server.aws_instance.windows_server[0] (remote-exec): Connecting to remote host via WinRM...
module.windows-server.aws_instance.windows_server[0] (remote-exec):   Host: 13.210.66.6
module.windows-server.aws_instance.windows_server[0] (remote-exec):   Port: 5985
module.windows-server.aws_instance.windows_server[0] (remote-exec):   User: Administrator
module.windows-server.aws_instance.windows_server[0] (remote-exec):   Password: true
module.windows-server.aws_instance.windows_server[0] (remote-exec):   HTTPS: false
module.windows-server.aws_instance.windows_server[0] (remote-exec):   Insecure: true
module.windows-server.aws_instance.windows_server[0] (remote-exec):   NTLM: false
module.windows-server.aws_instance.windows_server[0] (remote-exec):   CACert: false

if I interrupt the process, I get the following output:

╷
│ Error: remote-exec provisioner error
│
│   with module.windows-server.aws_instance.windows_server[0],
│   on modules/windows/resources.tf line 64, in resource "aws_instance" "windows_server":
│   64:   provisioner "remote-exec" {
│
│ interrupted - last error: http response error: 401 - invalid content type

Answer 1 · 2023-06-26T09:19:12.000Z

I was not able to reproduce this behavior. Can you share your attack_range.yml file?

Answer 2 · 2023-06-26T09:30:47.000Z

Sure, nothing special, just AWS with 2 Windows servers.

general:
  cloud_provider: aws
  attack_range_password: infected
  use_prebuilt_images_with_packer: '1'
  key_name: root-70344
  ip_whitelist: 0.0.0.0/0
  attack_range_name: ar
aws:
  private_key_path: /attack_range/root-70344.key
  region: ap-southeast-2
windows_servers:
- hostname: ar-win-dc
  windows_image: windows-2016-v3-0-0
  create_domain: '1'
- hostname: ar-win-2
  windows_image: windows-2016-v3-0-0
  join_domain: '1'
  install_red_team_tools: '1'

Answer 3 · 2023-06-27T08:31:12.000Z

I can't reproduce your issue. We don't experience the same connectivity issues to AWS but we are mainly working from EU and AMER AWS regions.

Answer 4 · 2023-06-27T08:48:37.000Z

Still occurring for me. I've tried it from both a Docker container on MacOS, and now from a Ubuntu WSL instance on my Windows PC.

@P4T12ICK have you tried it from a fresh Packer build of a Server 2016 instance? i.e. deleting your current AMI, letting it build a new one, and see how that goes for you?

I might try executing it from a VPS somewhere in a minute, just to eliminate if it's a localised networking issue.

Answer 5 · 2023-06-27T09:04:06.000Z

Hmm. This doesn't really make much sense.

I can successfully build the Server 2016 instance with Packer, which also uses WinRM throughout, so that suggests to me that there's nothing wrong with my connectivity to AWS.

but once it creates an instance from that AMI, it won't connect via WinRM.

Wondering if there's something wrong with the Packer image.

Testing it now tethered to my phone, same issue.

Answer 6 · 2023-06-27T09:05:01.000Z

neokjames commented a year ago

Answer 7 · 2023-06-27T10:48:53.000Z

I let it run until it completed this time around. This time I tried with Server 2019 just to see if it behaved differently. Provides the same error as Server 2016.

Looking at the error, it appears the error "401 - invalid content type" can appear for a multitude of reasons, commonly related to WinRM hardening and/or authentication failures.

I was trying to diagnose it by remoting into the Windows Server via RDP but am unable to identify the password.

Answer 8 · 2023-06-27T11:05:23.000Z

OK @P4T12ICK I think I found a path forward.

The key pair used in Attack Range AWS was recently changed to ED25519 (previously RSA), this key type is not compatible with Windows systems, and may be the cause.

AWS won't let you provision a Windows system using a ED25519 key. Only RSA.

Answer 9 · 2023-06-27T11:41:11.000Z

As a test, I reverted the recent change in modules/configuration.py to change back to 'rsa'.

I am now able to retrieve the Windows password for the created Windows instance by providing the private key in EC2.
I can login to the Windows instance via Remote Desktop using the decrypted password and the 'Administrator' user.
I can see a steady stream of authentication failures every 20 seconds or so coming in to the Windows box, highly suspect this to be from the build process.

@P4T12ICK I don't know enough about the build process to understand how it determines the password to connect to WinRM, but looking at line 73 in /terraform/aws/modules/windows/resources.tf

I suspect the password it's retrieving is incorrect, as I was able to login with the decrypted password from the EC2 interface, which was randomly generated.

Answer 10 · 2023-06-28T10:51:14.000Z

The problem that the password is incorrect is that Ansible was not able to connect to the instance and set it to your given password. Therefore, you have still the random generated password.
I think the root cause in your case is not the algorithm used to generate the SSH Key.
Did you use the password "infected"? When yes, that could be a problem as it doesn't meet the default requirements of a password for Windows. Can you try again with a password like ""Pl3ase-k1Ll-me:p123"?

Answer 11 · 2023-06-28T22:21:53.000Z

I can confirm it does appear to resolve the issues I’m experiencing.

Is it worth adding some comments into the documentation to ensure users use stronger passwords.

Answer 12 · 2023-06-29T07:49:47.000Z

I agree. Thank you