Last active
March 28, 2024 14:01
-
-
Save jborean93/d6ff5e87f8a9f5cb215cd49826523045 to your computer and use it in GitHub Desktop.
A script that can be used to decrypt WinRM exchanges using NTLM over http
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # PYTHON_ARGCOMPLETE_OK | |
| # Copyright: (c) 2020 Jordan Borean (@jborean93) <jborean93@gmail.com> | |
| # MIT License (see LICENSE or https://opensource.org/licenses/MIT) | |
| """ | |
| Script that can read a Wireshark capture .pcapng for a WinRM exchange and decrypt the messages. Currently only supports | |
| exchanges that were authenticated with NTLM. This is really a POC, a lot of things are missing like NTLMv1 support, | |
| shorter signing keys, better error handling, etc. | |
| """ | |
| from __future__ import absolute_import, division, print_function | |
| __metaclass__ = type | |
| import argparse | |
| import base64 | |
| import hashlib | |
| import hmac | |
| import os | |
| import re | |
| import struct | |
| import xml.dom.minidom | |
| import pyshark | |
| from cryptography.hazmat.backends import default_backend | |
| from cryptography.hazmat.primitives.ciphers import Cipher, algorithms | |
| try: | |
| import argcomplete | |
| except ImportError: | |
| argcomplete = None | |
| BOUNDARY_PATTERN = re.compile("boundary=[" '|\\"](.*)[' '|\\"]') | |
| class SecurityContext: | |
| def __init__(self, port, nt_hash): | |
| self.port = port | |
| self.tokens = [] | |
| self.nt_hash = nt_hash | |
| self.complete = False | |
| self.key_exch = False | |
| self.session_key = None | |
| self.sign_key_initiate = None | |
| self.sign_key_accept = None | |
| self.seal_handle_initiate = None | |
| self.seal_handle_accept = None | |
| self.__initiate_seq_no = 0 | |
| self.__accept_seq_no = 0 | |
| @property | |
| def _initiate_seq_no(self): | |
| val = self.__initiate_seq_no | |
| self.__initiate_seq_no += 1 | |
| return val | |
| @property | |
| def _accept_seq_no(self): | |
| val = self.__accept_seq_no | |
| self.__accept_seq_no += 1 | |
| return val | |
| def add_token(self, token): | |
| self.tokens.append(token) | |
| if token.startswith(b"NTLMSSP\x00\x03"): | |
| # Extract the info required to build the session key | |
| nt_challenge = self._get_auth_field(20, token) | |
| b_domain = self._get_auth_field(28, token) or b"" | |
| b_username = self._get_auth_field(36, token) or b"" | |
| encrypted_random_session_key = self._get_auth_field(52, token) | |
| flags = struct.unpack("<I", token[60:64])[0] | |
| encoding = "utf-16-le" if flags & 0x00000001 else "windows-1252" | |
| domain = b_domain.decode(encoding) | |
| username = b_username.decode(encoding) | |
| # Derive the session key | |
| nt_proof_str = nt_challenge[:16] | |
| response_key_nt = hmac_md5(self.nt_hash, (username.upper() + domain).encode("utf-16-le")) | |
| key_exchange_key = hmac_md5(response_key_nt, nt_proof_str) | |
| self.key_exch = bool(flags & 0x40000000) | |
| if self.key_exch and (flags & (0x00000020 | 0x00000010)): | |
| self.session_key = rc4k(key_exchange_key, encrypted_random_session_key) | |
| else: | |
| self.session_key = key_exchange_key | |
| # Derive the signing and sealing keys | |
| self.sign_key_initiate = signkey(self.session_key, "initiate") | |
| self.sign_key_accept = signkey(self.session_key, "accept") | |
| self.seal_handle_initiate = rc4init(sealkey(self.session_key, "initiate")) | |
| self.seal_handle_accept = rc4init(sealkey(self.session_key, "accept")) | |
| self.complete = True | |
| def unwrap_initiate(self, data): | |
| return self._unwrap(self.seal_handle_initiate, self.sign_key_initiate, self._initiate_seq_no, data) | |
| def unwrap_accept(self, data): | |
| return self._unwrap(self.seal_handle_accept, self.sign_key_accept, self._accept_seq_no, data) | |
| def _unwrap(self, handle, sign_key, seq_no, data): | |
| header = data[4:20] | |
| enc_data = data[20:] | |
| dec_data = handle.update(enc_data) | |
| b_seq_num = struct.pack("<I", seq_no) | |
| checksum = hmac_md5(sign_key, b_seq_num + dec_data)[:8] | |
| if self.key_exch: | |
| checksum = handle.update(checksum) | |
| actual_header = b"\x01\x00\x00\x00" + checksum + b_seq_num | |
| if header != actual_header: | |
| raise Exception("Signature verification failed") | |
| return dec_data | |
| def _get_auth_field(self, offset, token): | |
| field_len = struct.unpack("<H", token[offset : offset + 2])[0] | |
| if field_len: | |
| field_offset = struct.unpack("<I", token[offset + 4 : offset + 8])[0] | |
| return token[field_offset : field_offset + field_len] | |
| def hmac_md5(key, data): | |
| return hmac.new(key, data, digestmod=hashlib.md5).digest() | |
| def md4(m): | |
| return hashlib.new("md4", m).digest() | |
| def md5(m): | |
| return hashlib.md5(m).digest() | |
| def ntowfv1(password): | |
| return md4(password.encode("utf-16-le")) | |
| def rc4init(k): | |
| arc4 = algorithms.ARC4(k) | |
| return Cipher(arc4, mode=None, backend=default_backend()).encryptor() | |
| def rc4k(k, d): | |
| return rc4init(k).update(d) | |
| def sealkey(session_key, usage): | |
| direction = b"client-to-server" if usage == "initiate" else b"server-to-client" | |
| return md5(session_key + b"session key to %s sealing key magic constant\x00" % direction) | |
| def signkey(session_key, usage): | |
| direction = b"client-to-server" if usage == "initiate" else b"server-to-client" | |
| return md5(session_key + b"session key to %s signing key magic constant\x00" % direction) | |
| def unpack_message(content_type, data): | |
| boundary_match = BOUNDARY_PATTERN.search(content_type) | |
| if not boundary_match: | |
| raise ValueError("Unknown encoded payload format") | |
| boundary = boundary_match.group(1) | |
| # Talking to Exchange endpoints gives a non-compliant boundary that has a space between the --boundary. | |
| # not ideal but we just need to handle it. | |
| parts = re.compile((r"--\s*%s\r\n" % re.escape(boundary)).encode()).split(data) | |
| parts = list(filter(None, parts)) | |
| content_type = "" | |
| messages = [] | |
| for i in range(0, len(parts), 2): | |
| header = parts[i].strip() | |
| payload = parts[i + 1] | |
| length = int(header.split(b"Length=")[1]) | |
| # remove the end MIME block if it exists | |
| payload = re.sub((r"--\s*%s--\r\n$" % boundary).encode(), b"", payload) | |
| wrapped_data = re.sub(r"\t?Content-Type: application/octet-stream\r?\n".encode(), b"", payload) | |
| messages.append((length, wrapped_data)) | |
| return messages | |
| def pretty_xml(xml_str): | |
| dom = xml.dom.minidom.parseString(xml_str) | |
| return dom.toprettyxml() | |
| def main(): | |
| """Main program entry point.""" | |
| args = parse_args() | |
| if args.password: | |
| nt_hash = ntowfv1(args.password) | |
| else: | |
| nt_hash = base64.b16decode(args.hash.upper()) | |
| if args.is_interface: | |
| captures = pyshark.LiveCapture( | |
| interface="virbr2", | |
| display_filter="http and tcp.port == %d" % args.port, | |
| ) | |
| else: | |
| captures = pyshark.FileCapture( | |
| os.path.expanduser(os.path.expandvars(args.path)), | |
| display_filter="http and tcp.port == %d" % args.port, | |
| ) | |
| contexts = [] | |
| for cap in captures: | |
| try: | |
| source_port = int(cap.tcp.srcport) | |
| unique_port = source_port if source_port != args.port else int(cap.tcp.dstport) | |
| auth_token = None | |
| if hasattr(cap.http, "authorization"): | |
| b64_token = cap.http.authorization.split(" ")[1] | |
| auth_token = base64.b64decode(b64_token) | |
| elif hasattr(cap.http, "www_authenticate"): | |
| auth_info = cap.http.www_authenticate.split(" ") | |
| if len(auth_info) > 1: | |
| b64_token = auth_info[1] | |
| auth_token = base64.b64decode(b64_token) | |
| context = None | |
| if auth_token: | |
| if not auth_token.startswith(b"NTLMSSP\x00"): | |
| continue | |
| if auth_token.startswith(b"NTLMSSP\x00\x01"): | |
| context = SecurityContext(unique_port, nt_hash) | |
| contexts.append(context) | |
| else: | |
| context = [c for c in contexts if c.port == unique_port][-1] | |
| if not context: | |
| raise ValueError("Missing exisitng NTLM security context") | |
| context.add_token(auth_token) | |
| if hasattr(cap.http, "file_data"): | |
| if not context: | |
| context = next(c for c in contexts if c.port == unique_port) | |
| if not context.complete: | |
| raise ValueError("Cannot decode message without completed context") | |
| file_data = cap.http.file_data.binary_value | |
| messages = unpack_message(cap.http.content_type, file_data) | |
| unwrap_func = context.unwrap_accept if source_port == args.port else context.unwrap_initiate | |
| dec_msgs = [] | |
| for length, enc_data in messages: | |
| msg = unwrap_func(enc_data) | |
| if len(msg) != length: | |
| raise ValueError("Message decryption failed") | |
| dec_msgs.append(pretty_xml(msg.decode("utf-8"))) | |
| dec_msgs = "\n".join(dec_msgs) | |
| print( | |
| "No: %s | Time: %s | Source: %s | Destination: %s\n%s\n" | |
| % (cap.number, cap.sniff_time.isoformat(), cap.ip.src_host, cap.ip.dst_host, dec_msgs) | |
| ) | |
| except Exception as e: | |
| raise Exception("Failed to process frame: %s" % cap.number) from e | |
| def parse_args(): | |
| """Parse and return args.""" | |
| parser = argparse.ArgumentParser( | |
| description="Parse network captures from WireShark and decrypts the WinRM " "messages that were exchanged." | |
| ) | |
| parser.add_argument("path", type=str, help="The path to the .pcapng file to decrypt.") | |
| parser.add_argument( | |
| "--is-interface", | |
| dest="is_interface", | |
| action="store_true", | |
| help="The path specified is an interface name to do a live capture on.", | |
| ) | |
| parser.add_argument( | |
| "--port", | |
| dest="port", | |
| default=5985, | |
| type=int, | |
| help="The port to scan for the WinRM HTTP packets (default: 5985).", | |
| ) | |
| secret = parser.add_mutually_exclusive_group() | |
| secret.add_argument( | |
| "-p", "--password", dest="password", help="The password for the account that was used in the authentication." | |
| ) | |
| secret.add_argument( | |
| "-n", "--hash", dest="hash", help="The NT hash for the account that was used in the authentication." | |
| ) | |
| if argcomplete: | |
| argcomplete.autocomplete(parser) | |
| return parser.parse_args() | |
| if __name__ == "__main__": | |
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Produced by './winrm_decrypt.py winrm.pcapng --password VagrantPass1' | |
| # The Wireshark exchange was just running the below in powershell.exe | |
| # | |
| # $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList 'vagrant-domain@DOMAIN.LOCAL', (ConvertTo-SecureString -AsPlainText -Force -String 'VagrantPass1') | |
| # Invoke-Command -ComputerName 192.168.56.10 -ScriptBlock { hostname.exe } -Credential $cred -Authentication Negotiate | |
| No: 433 | Time: 2020-06-17T09:55:58.987664 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:2595F3CD-7FCF-4AAF-821F-4F53761FEC3B</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:B1D933FF-BF5B-4F11-8254-56352AEE6753</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" s:mustUnderstand="true"> | |
| <w:Option Name="protocolversion" MustComply="true">2.3</w:Option> | |
| </w:OptionSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| <rsp:CompressionType xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" s:mustUnderstand="true">xpress</rsp:CompressionType> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" Name="WinRM2" ShellId="558FB10D-56CD-4377-B555-F1A28E2A645B"> | |
| <rsp:InputStreams>stdin pr</rsp:InputStreams> | |
| <rsp:OutputStreams>stdout</rsp:OutputStreams> | |
| <creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAUAAAAAAAAAAAMAAALwAgAAAAIAAQANsY9VzVZ3Q7VV8aKOKmRbAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48QkEgTj0iVGltZVpvbmUiPkFBRUFBQUQvLy8vL0FRQUFBQUFBQUFBRUFRQUFBQnhUZVhOMFpXMHVRM1Z5Y21WdWRGTjVjM1JsYlZScGJXVmFiMjVsQkFBQUFCZHRYME5oWTJobFpFUmhlV3hwWjJoMFEyaGhibWRsY3cxdFgzUnBZMnR6VDJabWMyVjBEbTFmYzNSaGJtUmhjbVJPWVcxbERtMWZaR0Y1YkdsbmFIUk9ZVzFsQXdBQkFSeFRlWE4wWlcwdVEyOXNiR1ZqZEdsdmJuTXVTR0Z6YUhSaFlteGxDUWtDQUFBQUFBQUFBQUFBQUFBS0NnUUNBQUFBSEZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SVlYTm9kR0ZpYkdVSEFBQUFDa3h2WVdSR1lXTjBiM0lIVm1WeWMybHZiZ2hEYjIxd1lYSmxjaEJJWVhOb1EyOWtaVkJ5YjNacFpHVnlDRWhoYzJoVGFYcGxCRXRsZVhNR1ZtRnNkV1Z6QUFBREF3QUZCUXNJSEZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SlEyOXRjR0Z5WlhJa1UzbHpkR1Z0TGtOdmJHeGxZM1JwYjI1ekxrbElZWE5vUTI5a1pWQnliM1pwWkdWeUNPeFJPRDhBQUFBQUNnb0RBQUFBQ1FNQUFBQUpCQUFBQUJBREFBQUFBQUFBQUJBRUFBQUFBQUFBQUFzPTwvQkE+PC9NUz48L09iaj4AAAAAAAAABgAAAAAAAAAAAwAADpICAAAABAABAA2xj1XNVndDtVXxoo4qZFsAAAAAAAAAAAAAAAAAAAAA77u/PE9iaiBSZWZJZD0iMCI+PE1TPjxJMzIgTj0iTWluUnVuc3BhY2VzIj4xPC9JMzI+PEkzMiBOPSJNYXhSdW5zcGFjZXMiPjE8L0kzMj48T2JqIE49IlBTVGhyZWFkT3B0aW9ucyIgUmVmSWQ9IjEiPjxUTiBSZWZJZD0iMCI+PFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXMuUFNUaHJlYWRPcHRpb25zPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5EZWZhdWx0PC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMiI+PFROIFJlZklkPSIxIj48VD5TeXN0ZW0uVGhyZWFkaW5nLkFwYXJ0bWVudFN0YXRlPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz48STMyPjI8L0kzMj48L09iaj48T2JqIE49IkFwcGxpY2F0aW9uQXJndW1lbnRzIiBSZWZJZD0iMyI+PFROIFJlZklkPSIyIj48VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTUHJpbWl0aXZlRGljdGlvbmFyeTwvVD48VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48RENUPjxFbj48UyBOPSJLZXkiPlBTVmVyc2lvblRhYmxlPC9TPjxPYmogTj0iVmFsdWUiIFJlZklkPSI0Ij48VE5SZWYgUmVmSWQ9IjIiIC8+PERDVD48RW4+PFMgTj0iS2V5Ij5QU1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjUuMS4xNzc2My4xMDA3PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+UFNFZGl0aW9uPC9TPjxTIE49IlZhbHVlIj5EZXNrdG9wPC9TPjwvRW4+PEVuPjxTIE49IktleSI+UFNDb21wYXRpYmxlVmVyc2lvbnM8L1M+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjUiPjxUTiBSZWZJZD0iMyI+PFQ+U3lzdGVtLlZlcnNpb25bXTwvVD48VD5TeXN0ZW0uQXJyYXk8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PFZlcnNpb24+MS4wPC9WZXJzaW9uPjxWZXJzaW9uPjIuMDwvVmVyc2lvbj48VmVyc2lvbj4zLjA8L1ZlcnNpb24+PFZlcnNpb24+NC4wPC9WZXJzaW9uPjxWZXJzaW9uPjUuMDwvVmVyc2lvbj48VmVyc2lvbj41LjEuMTc3NjMuMTAwNzwvVmVyc2lvbj48L0xTVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPkNMUlZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjQuMC4zMDMxOS40MjAwMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz48VmVyc2lvbiBOPSJWYWx1ZSI+MTAuMC4xNzc2My4xMDA3PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+V1NNYW5TdGFja1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlBTUmVtb3RpbmdQcm90b2NvbFZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjIuMzwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPjxWZXJzaW9uIE49IlZhbHVlIj4xLjEuMC4xPC9WZXJzaW9uPjwvRW4+PC9EQ1Q+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48T2JqIE49Ikhvc3RJbmZvIiBSZWZJZD0iNiI+PE1TPjxPYmogTj0iX2hvc3REZWZhdWx0RGF0YSIgUmVmSWQ9IjciPjxNUz48T2JqIE49ImRhdGEiIFJlZklkPSI4Ij48VE4gUmVmSWQ9IjQiPjxUPlN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxEQ1Q+PEVuPjxJMzIgTj0iS2V5Ij45PC9JMzI+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjkiPjxNUz48UyBOPSJUIj5TeXN0ZW0uU3RyaW5nPC9TPjxTIE49IlYiPkFkbWluaXN0cmF0b3I6IFdpbmRvd3MgUG93ZXJTaGVsbDwvUz48L01TPjwvT2JqPjwvRW4+PEVuPjxJMzIgTj0iS2V5Ij44PC9JMzI+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjEwIj48TVM+PFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+PE9iaiBOPSJWIiBSZWZJZD0iMTEiPjxNUz48STMyIE49IndpZHRoIj4yMzk8L0kzMj48STMyIE49ImhlaWdodCI+OTE8L0kzMj48L01TPjwvT2JqPjwvTVM+PC9PYmo+PC9Fbj48RW4+PEkzMiBOPSJLZXkiPjc8L0kzMj48T2JqIE49IlZhbHVlIiBSZWZJZD0iMTIiPjxNUz48UyBOPSJUIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkhvc3QuU2l6ZTwvUz48T2JqIE49IlYiIFJlZklkPSIxMyI+PE1TPjxJMzIgTj0id2lkdGgiPjEyMDwvSTMyPjxJMzIgTj0iaGVpZ2h0Ij45MTwvSTMyPjwvTVM+PC9PYmo+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+NjwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIxNCI+PE1TPjxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5TaXplPC9TPjxPYmogTj0iViIgUmVmSWQ9IjE1Ij48TVM+PEkzMiBOPSJ3aWR0aCI+MTIwPC9JMzI+PEkzMiBOPSJoZWlnaHQiPjUwPC9JMzI+PC9NUz48L09iaj48L01TPjwvT2JqPjwvRW4+PEVuPjxJMzIgTj0iS2V5Ij41PC9JMzI+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjE2Ij48TVM+PFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+PE9iaiBOPSJWIiBSZWZJZD0iMTciPjxNUz48STMyIE49IndpZHRoIj4xMjA8L0kzMj48STMyIE49ImhlaWdodCI+NjAwMDwvSTMyPjwvTVM+PC9PYmo+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+NDwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIxOCI+PE1TPjxTIE49IlQiPlN5c3RlbS5JbnQzMjwvUz48STMyIE49IlYiPjI1PC9JMzI+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+MzwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIxOSI+PE1TPjxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz48T2JqIE49IlYiIFJlZklkPSIyMCI+PE1TPjxJMzIgTj0ieCI+MDwvSTMyPjxJMzIgTj0ieSI+MDwvSTMyPjwvTVM+PC9PYmo+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+MjwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIyMSI+PE1TPjxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz48T2JqIE49IlYiIFJlZklkPSIyMiI+PE1TPjxJMzIgTj0ieCI+MDwvSTMyPjxJMzIgTj0ieSI+MTc8L0kzMj48L01TPjwvT2JqPjwvTVM+PC9PYmo+PC9Fbj48RW4+PEkzMiBOPSJLZXkiPjE8L0kzMj48T2JqIE49IlZhbHVlIiBSZWZJZD0iMjMiPjxNUz48UyBOPSJUIj5TeXN0ZW0uQ29uc29sZUNvbG9yPC9TPjxJMzIgTj0iViI+MTwvSTMyPjwvTVM+PC9PYmo+PC9Fbj48RW4+PEkzMiBOPSJLZXkiPjA8L0kzMj48T2JqIE49IlZhbHVlIiBSZWZJZD0iMjQiPjxNUz48UyBOPSJUIj5TeXN0ZW0uQ29uc29sZUNvbG9yPC9TPjxJMzIgTj0iViI+NjwvSTMyPjwvTVM+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48L01TPjwvT2JqPjxCIE49Il9pc0hvc3ROdWxsIj5mYWxzZTwvQj48QiBOPSJfaXNIb3N0VUlOdWxsIj5mYWxzZTwvQj48QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj5mYWxzZTwvQj48QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij5mYWxzZTwvQj48L01TPjwvT2JqPjwvTVM+PC9PYmo+</creationXml> | |
| </rsp:Shell> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 442 | Time: 2020-06-17T09:55:59.073794 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action> | |
| <a:MessageID>uuid:5C9A431C-ED94-4014-BC63-2194ADDA7946</a:MessageID> | |
| <p:OperationID s:mustUnderstand="false">uuid:B1D933FF-BF5B-4F11-8254-56352AEE6753</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <a:RelatesTo>uuid:2595F3CD-7FCF-4AAF-821F-4F53761FEC3B</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <x:ResourceCreated> | |
| <a:Address>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:Address> | |
| <a:ReferenceParameters> | |
| <w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| </a:ReferenceParameters> | |
| </x:ResourceCreated> | |
| <rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"> | |
| <rsp:ShellId>558FB10D-56CD-4377-B555-F1A28E2A645B</rsp:ShellId> | |
| <rsp:Name>WinRM2</rsp:Name> | |
| <rsp:ResourceUri>http://schemas.microsoft.com/powershell/Microsoft.PowerShell</rsp:ResourceUri> | |
| <rsp:Owner>DOMAIN\vagrant-domain</rsp:Owner> | |
| <rsp:ClientIP>192.168.56.15</rsp:ClientIP> | |
| <rsp:ProcessId>3728</rsp:ProcessId> | |
| <rsp:IdleTimeOut>PT7200.000S</rsp:IdleTimeOut> | |
| <rsp:InputStreams>stdin pr</rsp:InputStreams> | |
| <rsp:OutputStreams>stdout</rsp:OutputStreams> | |
| <rsp:MaxIdleTimeOut>PT2147483.647S</rsp:MaxIdleTimeOut> | |
| <rsp:Locale>en-US</rsp:Locale> | |
| <rsp:DataLocale>en-US</rsp:DataLocale> | |
| <rsp:CompressionMode>XpressCompression</rsp:CompressionMode> | |
| <rsp:ProfileLoaded>Yes</rsp:ProfileLoaded> | |
| <rsp:Encoding>UTF8</rsp:Encoding> | |
| <rsp:BufferMode>Block</rsp:BufferMode> | |
| <rsp:State>Connected</rsp:State> | |
| <rsp:ShellRunTime>P0DT0H0M0S</rsp:ShellRunTime> | |
| <rsp:ShellInactivity>P0DT0H0M0S</rsp:ShellInactivity> | |
| </rsp:Shell> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 450 | Time: 2020-06-17T09:55:59.081721 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:B34C549C-309A-4955-93B7-E6FF221F5071</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:8B44178E-4A98-4FAA-B659-AACAE48023FC</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:SelectorSet> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | |
| <w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option> | |
| </w:OptionSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0"> | |
| <rsp:DesiredStream>stdout</rsp:DesiredStream> | |
| </rsp:Receive> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 452 | Time: 2020-06-17T09:55:59.136652 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action> | |
| <a:MessageID>uuid:3ABBEABD-2C34-4A73-A4A7-313383182C1A</a:MessageID> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <p:OperationID s:mustUnderstand="false">uuid:8B44178E-4A98-4FAA-B659-AACAE48023FC</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:RelatesTo>uuid:B34C549C-309A-4955-93B7-E6FF221F5071</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:ReceiveResponse> | |
| <rsp:Stream Name="stdout">3gDeAAAAAAAAAAABAAAAAAAAAAADAAAAygEAAAACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADvu788T2JqIFJlZklkPSIwIj48TVM+PFZlcnNpb24gTj0icHJvdG9jb2x2ZXJzaW9uIj4yLjM8L1ZlcnNpb24+PFZlcnNpb24gTj0iUFNWZXJzaW9uIj4yLjA8L1ZlcnNpb24+PFZlcnNpb24gTj0iU2VyaWFsaXphdGlvblZlcnNpb24iPjEuMS4wLjE8L1ZlcnNpb24+PC9NUz48L09iaj4=</rsp:Stream> | |
| <rsp:Stream Name="stdout">7AUBA5eYkACQAJAACQAAAAAAAAAIBgAAAAkAZmZnhwCJAIYGcGeHAImQeIcHV3eXAICQAFB3VnhYeGVVB2Z1mHAJAAAAAAAAAAAAmQAAAAAAAAAAAAkAAAAAAACQAJAAAJAAkAAAAAAAAJAAAAAAAAkAAAAAAAAAAAAAkJAAAAAAAAAACZkAAAAJAAAAAAAAAAAAAHgAAAAAAAAAlwB4AAAAAAB3B5AACQAAcIYHlpAJkACAh5cHiZAAkGl3mAAACQkAcHeZcJAAkABwBwgAAAAJCYAACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADpgdzOHD0Q+B46dU7RU+fp6UD7d/yyO3N4TPkl3bujzvU61d/w5Zb4m9aftVskjBog6QuaGK3ZC/o4Q0hEo5yDjBOQxfbYccIJRYfCyrnpOutR/WRweXBTaeLBGGcooYnoFKTDNXNEdAJk7eDjDBTbzlFhsJpuSsll+BCDs4IjbgvWJ5vSDOIL5zsVXUqUdVSK1lXFVaYG1p0GU3F4QYiNITSLkH4lS2wwD6QkFyQJ2LgcR3y9d4cq0b42RfCU1Bzvd7ssHCshEyR2N2Gi8ZTLjLivoi53sHiRFnW4Siy+TIADbhPFDPeV7+LoL/Ox8y00I2wc6tFg34amWXo+QV1pA3Y371grkiLoKqJXQlRFV1WqqjzJJyzZtAU5HqZbi1lFw5QTGTLlbzWDAxdH+vWht9ty3TCKVwNt7V/G6sl19zj7Pb0Nr8O2If9rXB/8BdX3VFHX/xSrGjYYW5kKTQNo0wNsWgN8rAVSRQavvsZyUGUb/qsx5SWL/mU3/Y9gmIoKqqmKpqAwmqZGfwq4cKgSnciQwcsFfbgTBRWOBlwEOFTsUDcDB3jqDBkPf/UPqAUgk0QSAY7RzzLZkGmOI8Z9zigYBTThNgENkDC8fQPH5BVmvpwpBf4cJahJxzPLEcoH5Ebb7h9OvHlgUoNlLtgPRSzG9V/wUZFindNal3aA8wAA</rsp:Stream> | |
| </rsp:ReceiveResponse> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 455 | Time: 2020-06-17T09:55:59.143039 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:E89A80D3-CB67-4F53-97FC-917D5C644074</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:F0FA2B3C-CD37-4B20-B053-B49C4F4C3C6E</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:SelectorSet> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | |
| <w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option> | |
| </w:OptionSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0"> | |
| <rsp:DesiredStream>stdout</rsp:DesiredStream> | |
| </rsp:Receive> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 457 | Time: 2020-06-17T09:55:59.143611 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action> | |
| <a:MessageID>uuid:C99E58C5-0452-4493-B92A-94FFB091B82D</a:MessageID> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <p:OperationID s:mustUnderstand="false">uuid:F0FA2B3C-CD37-4B20-B053-B49C4F4C3C6E</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:RelatesTo>uuid:E89A80D3-CB67-4F53-97FC-917D5C644074</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:ReceiveResponse> | |
| <rsp:Stream Name="stdout">ewB7AAAAAAAAAAADAAAAAAAAAAADAAAAZwEAAAAFEAIADbGPVc1Wd0O1VfGijipkWwAAAAAAAAAAAAAAAAAAAADvu788T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJSdW5zcGFjZVN0YXRlIj4yPC9JMzI+PC9NUz48L09iaj4=</rsp:Stream> | |
| </rsp:ReceiveResponse> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 460 | Time: 2020-06-17T09:55:59.147755 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:1B9B2711-2E52-43F5-B4F4-D01490EEB68C</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:SelectorSet> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | |
| <w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option> | |
| </w:OptionSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0"> | |
| <rsp:DesiredStream>stdout</rsp:DesiredStream> | |
| </rsp:Receive> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 463 | Time: 2020-06-17T09:55:59.147931 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:29904F44-FFDA-40F9-8C04-98B58AF10186</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:FDD9FD03-1A31-4EF0-8F94-6565E4D3A27F</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:CommandLine xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="A83C975E-C552-492F-AC78-51FDCC665500"> | |
| <rsp:Command>__Set-PSDebugMode</rsp:Command> | |
| <rsp:Arguments>AAAAAAAAAAcAAAAAAAAAAAMAAAmbAgAAAAYQAgANsY9VzVZ3Q7VV8aKOKmRbXpc8qFLFL0mseFH9zGZVAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IlBvd2VyU2hlbGwiIFJlZklkPSIxIj48TVM+PE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+PFROIFJlZklkPSIwIj48VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PE9iaiBSZWZJZD0iMyI+PE1TPjxTIE49IkNtZCI+X19TZXQtUFNEZWJ1Z01vZGU8L1M+PEIgTj0iSXNTY3JpcHQiPmZhbHNlPC9CPjxOaWwgTj0iVXNlTG9jYWxTY29wZSIgLz48T2JqIE49Ik1lcmdlTXlSZXN1bHQiIFJlZklkPSI0Ij48VE4gUmVmSWQ9IjEiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzLlBpcGVsaW5lUmVzdWx0VHlwZXM8L1Q+PFQ+U3lzdGVtLkVudW08L1Q+PFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD48VD5TeXN0ZW0uT2JqZWN0PC9UPjwvVE4+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VUb1Jlc3VsdCIgUmVmSWQ9IjUiPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZVByZXZpb3VzUmVzdWx0cyIgUmVmSWQ9IjYiPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZUVycm9yIiBSZWZJZD0iNyI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlV2FybmluZyIgUmVmSWQ9IjgiPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZVZlcmJvc2UiIFJlZklkPSI5Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VEZWJ1ZyIgUmVmSWQ9IjEwIj48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VJbmZvcm1hdGlvbiIgUmVmSWQ9IjExIj48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iQXJncyIgUmVmSWQ9IjEyIj48VE5SZWYgUmVmSWQ9IjAiIC8+PExTVD48T2JqIFJlZklkPSIxMyI+PE1TPjxTIE49Ik4iPk1vZGU8L1M+PE9iaiBOPSJWIiBSZWZJZD0iMTQiPjxUTiBSZWZJZD0iMiI+PFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5EZWJ1Z01vZGVzPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5Mb2NhbFNjcmlwdCwgUmVtb3RlU2NyaXB0PC9Ub1N0cmluZz48STMyPjY8L0kzMj48L09iaj48L01TPjwvT2JqPjwvTFNUPjwvT2JqPjwvTVM+PC9PYmo+PC9MU1Q+PC9PYmo+PEIgTj0iSXNOZXN0ZWQiPmZhbHNlPC9CPjxOaWwgTj0iSGlzdG9yeSIgLz48QiBOPSJSZWRpcmVjdFNoZWxsRXJyb3JPdXRwdXRQaXBlIj50cnVlPC9CPjwvTVM+PC9PYmo+PEIgTj0iTm9JbnB1dCI+dHJ1ZTwvQj48T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMTUiPjxUTiBSZWZJZD0iMyI+PFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD48VD5TeXN0ZW0uRW51bTwvVD48VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+VW5rbm93bjwvVG9TdHJpbmc+PEkzMj4yPC9JMzI+PC9PYmo+PE9iaiBOPSJSZW1vdGVTdHJlYW1PcHRpb25zIiBSZWZJZD0iMTYiPjxUTiBSZWZJZD0iNCI+PFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SZW1vdGVTdHJlYW1PcHRpb25zPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5BZGRJbnZvY2F0aW9uSW5mbzwvVG9TdHJpbmc+PEkzMj4xNTwvSTMyPjwvT2JqPjxCIE49IkFkZFRvSGlzdG9yeSI+ZmFsc2U8L0I+PE9iaiBOPSJIb3N0SW5mbyIgUmVmSWQ9IjE3Ij48TVM+PEIgTj0iX2lzSG9zdE51bGwiPnRydWU8L0I+PEIgTj0iX2lzSG9zdFVJTnVsbCI+dHJ1ZTwvQj48QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj50cnVlPC9CPjxCIE49Il91c2VSdW5zcGFjZUhvc3QiPnRydWU8L0I+PC9NUz48L09iaj48QiBOPSJJc05lc3RlZCI+ZmFsc2U8L0I+PC9NUz48L09iaj4=</rsp:Arguments> | |
| </rsp:CommandLine> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 465 | Time: 2020-06-17T09:55:59.149289 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action> | |
| <a:MessageID>uuid:96742BE4-89C1-48CB-85B7-2FBEF32A26F8</a:MessageID> | |
| <p:OperationID s:mustUnderstand="false">uuid:FDD9FD03-1A31-4EF0-8F94-6565E4D3A27F</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <a:RelatesTo>uuid:29904F44-FFDA-40F9-8C04-98B58AF10186</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:CommandResponse> | |
| <rsp:CommandId>A83C975E-C552-492F-AC78-51FDCC665500</rsp:CommandId> | |
| </rsp:CommandResponse> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 472 | Time: 2020-06-17T09:55:59.153543 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:3E492E94-8AD4-4314-A779-FDAC6B14717D</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:7D6EAD8E-4A35-4F5F-8A51-4DB2C589B09E</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0"> | |
| <rsp:DesiredStream CommandId="A83C975E-C552-492F-AC78-51FDCC665500">stdout</rsp:DesiredStream> | |
| </rsp:Receive> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 474 | Time: 2020-06-17T09:55:59.154999 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action> | |
| <a:MessageID>uuid:4EC0ACC6-745A-41BD-BB9A-F89EE15BC6BC</a:MessageID> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <p:OperationID s:mustUnderstand="false">uuid:7D6EAD8E-4A35-4F5F-8A51-4DB2C589B09E</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:RelatesTo>uuid:3E492E94-8AD4-4314-A779-FDAC6B14717D</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:ReceiveResponse> | |
| <rsp:Stream Name="stdout" CommandId="A83C975E-C552-492F-AC78-51FDCC665500">ewB7AAAAAAAAAAAEAAAAAAAAAAADAAAAZwEAAAAGEAQADbGPVc1Wd0O1VfGijipkW16XPKhSxS9JrHhR/cxmVQDvu788T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJQaXBlbGluZVN0YXRlIj40PC9JMzI+PC9NUz48L09iaj4=</rsp:Stream> | |
| <rsp:CommandState CommandId="A83C975E-C552-492F-AC78-51FDCC665500" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done"> | |
| <rsp:ExitCode>0</rsp:ExitCode> | |
| </rsp:CommandState> | |
| </rsp:ReceiveResponse> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 477 | Time: 2020-06-17T09:55:59.158435 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:57EA35DC-AF07-4D4B-A755-12B3F549EF80</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:4D136523-94CF-4219-989A-279FB46D777C</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OperationTimeout>PT60.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Signal xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="A83C975E-C552-492F-AC78-51FDCC665500"> | |
| <rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code> | |
| </rsp:Signal> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 479 | Time: 2020-06-17T09:55:59.159444 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action> | |
| <a:MessageID>uuid:4E12E017-DCE7-4A86-8F1A-47D1FA7A6FAA</a:MessageID> | |
| <p:OperationID s:mustUnderstand="false">uuid:4D136523-94CF-4219-989A-279FB46D777C</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <a:RelatesTo>uuid:57EA35DC-AF07-4D4B-A755-12B3F549EF80</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:SignalResponse/> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 481 | Time: 2020-06-17T09:55:59.163963 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:83E39A98-0D9D-4035-B0A1-627AE99C8A01</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:505C5B47-734C-4111-B0D9-5ADE2E736E6F</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:CommandLine xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747"> | |
| <rsp:Command>hostname.exe</rsp:Command> | |
| <rsp:Arguments>AAAAAAAAAAgAAAAAAAAAAAMAAAh8AgAAAAYQAgANsY9VzVZ3Q7VV8aKOKmRbV92jJFrsq0uXzOfJXOAXR++7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IlBvd2VyU2hlbGwiIFJlZklkPSIxIj48TVM+PE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+PFROIFJlZklkPSIwIj48VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PE9iaiBSZWZJZD0iMyI+PE1TPjxTIE49IkNtZCI+aG9zdG5hbWUuZXhlPC9TPjxCIE49IklzU2NyaXB0Ij5mYWxzZTwvQj48TmlsIE49IlVzZUxvY2FsU2NvcGUiIC8+PE9iaiBOPSJNZXJnZU15UmVzdWx0IiBSZWZJZD0iNCI+PFROIFJlZklkPSIxIj48VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QaXBlbGluZVJlc3VsdFR5cGVzPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlVG9SZXN1bHQiIFJlZklkPSI1Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VQcmV2aW91c1Jlc3VsdHMiIFJlZklkPSI2Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VFcnJvciIgUmVmSWQ9IjciPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZVdhcm5pbmciIFJlZklkPSI4Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VWZXJib3NlIiBSZWZJZD0iOSI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlRGVidWciIFJlZklkPSIxMCI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlSW5mb3JtYXRpb24iIFJlZklkPSIxMSI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49IkFyZ3MiIFJlZklkPSIxMiI+PFROUmVmIFJlZklkPSIwIiAvPjxMU1QgLz48L09iaj48L01TPjwvT2JqPjwvTFNUPjwvT2JqPjxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj48TmlsIE49Ikhpc3RvcnkiIC8+PEIgTj0iUmVkaXJlY3RTaGVsbEVycm9yT3V0cHV0UGlwZSI+dHJ1ZTwvQj48L01TPjwvT2JqPjxCIE49Ik5vSW5wdXQiPnRydWU8L0I+PE9iaiBOPSJBcGFydG1lbnRTdGF0ZSIgUmVmSWQ9IjEzIj48VE4gUmVmSWQ9IjIiPjxUPlN5c3RlbS5UaHJlYWRpbmcuQXBhcnRtZW50U3RhdGU8L1Q+PFQ+U3lzdGVtLkVudW08L1Q+PFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD48VD5TeXN0ZW0uT2JqZWN0PC9UPjwvVE4+PFRvU3RyaW5nPlVua25vd248L1RvU3RyaW5nPjxJMzI+MjwvSTMyPjwvT2JqPjxPYmogTj0iUmVtb3RlU3RyZWFtT3B0aW9ucyIgUmVmSWQ9IjE0Ij48VE4gUmVmSWQ9IjMiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUmVtb3RlU3RyZWFtT3B0aW9uczwvVD48VD5TeXN0ZW0uRW51bTwvVD48VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+MDwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PEIgTj0iQWRkVG9IaXN0b3J5Ij50cnVlPC9CPjxPYmogTj0iSG9zdEluZm8iIFJlZklkPSIxNSI+PE1TPjxCIE49Il9pc0hvc3ROdWxsIj50cnVlPC9CPjxCIE49Il9pc0hvc3RVSU51bGwiPnRydWU8L0I+PEIgTj0iX2lzSG9zdFJhd1VJTnVsbCI+dHJ1ZTwvQj48QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij50cnVlPC9CPjwvTVM+PC9PYmo+PEIgTj0iSXNOZXN0ZWQiPmZhbHNlPC9CPjwvTVM+PC9PYmo+</rsp:Arguments> | |
| </rsp:CommandLine> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 483 | Time: 2020-06-17T09:55:59.165128 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action> | |
| <a:MessageID>uuid:33A9C485-92AA-49EA-A7EA-42509B473BAD</a:MessageID> | |
| <p:OperationID s:mustUnderstand="false">uuid:505C5B47-734C-4111-B0D9-5ADE2E736E6F</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <a:RelatesTo>uuid:83E39A98-0D9D-4035-B0A1-627AE99C8A01</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:CommandResponse> | |
| <rsp:CommandId>24A3DD57-EC5A-4BAB-97CC-E7C95CE01747</rsp:CommandId> | |
| </rsp:CommandResponse> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 485 | Time: 2020-06-17T09:55:59.165734 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:E58D741B-13D7-4873-B917-EB2D0F448CAE</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:B2AF0AEE-CF60-4A9D-9C42-C46345606A67</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OperationTimeout>PT180.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0"> | |
| <rsp:DesiredStream CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">stdout</rsp:DesiredStream> | |
| </rsp:Receive> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 488 | Time: 2020-06-17T09:55:59.227710 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action> | |
| <a:MessageID>uuid:96C70707-29B2-426D-8FF7-030F57D74158</a:MessageID> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <p:OperationID s:mustUnderstand="false">uuid:B2AF0AEE-CF60-4A9D-9C42-C46345606A67</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:RelatesTo>uuid:E58D741B-13D7-4873-B917-EB2D0F448CAE</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:ReceiveResponse> | |
| <rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">GQIWAoeIiAAAAIAABwAAgAAAAAAGBggAAAiAZneIAAAAAHYFcHCIgHCAcHYHZ3aHAIgIAFBnRndQB2ZWBlVliHAAAAAAAAAAAAAAiAAAAIAAAAAAAIgAAACAAACAAIAAAIAAgAAAAACAAIgAAAAAAAAAgAAIAACAAAAIgIAAAAAAAAAACIgAAAAAAAAAAAAAAAAAAAcAAAAAAAAACACAAAAAAACHB4AAAIAAAIYHAACHAACAiAAHCIAAAABmCHAACAAAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfkWyRxu4jkSMXwBOTySOPgyenbl013Jk7NXY3G7PU1t7n1cvf6tzT6eXX5Mro69Lj4o1aKWsKU9vznJjEpAa1swQvCTkxIK0Em6RFSMX4wEfMJKxb6cCBVTpkypCrQsccUFkUaVg/P9o729NSTFaWYOOEPRANQB/RDvqIVwgSk7JXHLkE9QzoeWBfFA4DpO/Sr4e0f+XmbcDLtuWA8ELNxTn3dQEBMXyE39osE3yiw1pcXxlHx5HZaDEH6KBUhzcdYDH4sEmuIAz+kVJgi3PABtNmikz+Vlnbb+hF9B2jKgByTPeBQwBdpFlF5F6ElfkbWGg3XTxyO9LDolghdHeco0LEbh7uIY+Mv0IK3uD/RquRtYB2AAA=</rsp:Stream> | |
| <rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">pAOdApeQCQkAAJAAkAAAkAAAAAAGBQkAAAmAZnd3CAkAAIYFcHCZkGmQeHcHZ4aIAJkJAFBoRndZCFZWBlVlmXAAAAAAAAAAAAAAmQkAAJAAAAAAAJkAAACQAACQAJAAAJAAkAAAAACQAJkAAAAAAAAAkAAJAACQAAAJkJAAAAAAAAAACZkAAAAAAAAJAAAAAAAAAAcAAAAAAAAAB5CZAAAAAACXCIAJAIAAAIaXkAmXAAAAhgiZCZAAAABXmICYCQAAAHgHgJkAAAAAkAAIAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADrnd3hXD1nH8CvZ7x4cbhTzp13tj+LU6mdu+zoefV0EDw0rn0/P9vNduc+PAdfyUfmxvt59t3o6zHpLWQGOadgbYh01blty8m2Yp9ghyhClfZ8vtrAI+ybi2IK58ES3uqt/YbnxO0MqFLNS0RgYEyJkdMxR1MUzcQxkFjU+61zSJVOBVWPdJAD0zZ/2IrLakN5lpAhuR5qGH29IB1afdNor9XdySZSeogqCMKCbQ+UAM3fbUhUykVHL3XaBg+YqN3t9lxRu806W/k+PFTNMCmeZukQmplLT6UP6HPQKCHTtK5kt2s0lhNKd2/H2OXsnCm4q+roU8GOmVWZQ3CAsIuMwWIEj4KQtFgxdKhomEogkW3LR0tRKdn6BMirPQc7orpEKoHyoC+tsYaQDMYs1sA6IqkRELwqjGAClK9htsLwCcu/S3mufdflgQDKD4c6cDSDglcIUH6u46n+4mX+0chSusG+X90sBLK8nQ9rELiZhpvi26c9MPNfoubuLntK8L7zeudcCHEMisxDxUL/Khqcg8dr8jtZ0z3+4gCQAAA=</rsp:Stream> | |
| <rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">SgBKAAAAAAAAAAAHAAAAAAAAAAADAAAANgEAAAAEEAQADbGPVc1Wd0O1VfGijipkW1fdoyRa7KtLl8znyVzgF0fvu788Uz5EQzAxPC9TPg==</rsp:Stream> | |
| <rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">ewB7AAAAAAAAAAAIAAAAAAAAAAADAAAAZwEAAAAGEAQADbGPVc1Wd0O1VfGijipkW1fdoyRa7KtLl8znyVzgF0fvu788T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJQaXBlbGluZVN0YXRlIj40PC9JMzI+PC9NUz48L09iaj4=</rsp:Stream> | |
| <rsp:CommandState CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done"> | |
| <rsp:ExitCode>0</rsp:ExitCode> | |
| </rsp:CommandState> | |
| </rsp:ReceiveResponse> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 491 | Time: 2020-06-17T09:55:59.230493 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:D35B51DE-F473-4E89-B1BD-918E2EE654D5</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:C97884B3-1448-4F74-8DA8-A9C0408ECA45</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OperationTimeout>PT60.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:Signal xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747"> | |
| <rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code> | |
| </rsp:Signal> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 493 | Time: 2020-06-17T09:55:59.231205 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action> | |
| <a:MessageID>uuid:E98C8069-93FB-4307-B7AD-98CA428DEC51</a:MessageID> | |
| <p:OperationID s:mustUnderstand="false">uuid:C97884B3-1448-4F74-8DA8-A9C0408ECA45</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <a:RelatesTo>uuid:D35B51DE-F473-4E89-B1BD-918E2EE654D5</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <rsp:SignalResponse/> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 496 | Time: 2020-06-17T09:55:59.232122 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To> | |
| <a:ReplyTo> | |
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | |
| </a:ReplyTo> | |
| <a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action> | |
| <w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize> | |
| <a:MessageID>uuid:B107343F-C104-4F86-AF92-DB4211042668</a:MessageID> | |
| <w:Locale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/> | |
| <p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId> | |
| <p:OperationID s:mustUnderstand="false">uuid:D40E8931-D63F-4726-A209-41C09D417D73</p:OperationID> | |
| <p:SequenceId s:mustUnderstand="false">1</p:SequenceId> | |
| <w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI> | |
| <w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"> | |
| <w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector> | |
| </w:SelectorSet> | |
| <w:OperationTimeout>PT60.000S</w:OperationTimeout> | |
| </s:Header> | |
| <s:Body/> | |
| </s:Envelope> | |
| No: 501 | Time: 2020-06-17T09:55:59.232929 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/FullDuplex</w:ResourceURI> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/Cancel</a:Action> | |
| <a:MessageID>uuid:F1323350-117A-4590-B109-CC60C3CFC0D4</a:MessageID> | |
| <p:OperationID>uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID> | |
| </s:Header> | |
| <s:Body/> | |
| </s:Envelope> | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/FullDuplex</w:ResourceURI> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/End</a:Action> | |
| <a:MessageID>uuid:BF473A4D-1FF7-4713-B9C5-C4FF8DEE8A93</a:MessageID> | |
| <p:OperationID>uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID> | |
| </s:Header> | |
| <s:Body/> | |
| </s:Envelope> | |
| No: 503 | Time: 2020-06-17T09:55:59.232977 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action> | |
| <a:MessageID>uuid:BD37AB1A-09D4-4A6C-B3B3-9D9B5293E2F1</a:MessageID> | |
| <p:OperationID s:mustUnderstand="false">uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <a:RelatesTo>uuid:1B9B2711-2E52-43F5-B4F4-D01490EEB68C</a:RelatesTo> | |
| </s:Header> | |
| <s:Body> | |
| <s:Fault> | |
| <s:Code> | |
| <s:Value>s:Receiver</s:Value> | |
| <s:Subcode> | |
| <s:Value>w:InternalError</s:Value> | |
| </s:Subcode> | |
| </s:Code> | |
| <s:Reason> | |
| <s:Text xml:lang="en-US">The I/O operation has been aborted because of either a thread exit or an application request. </s:Text> | |
| </s:Reason> | |
| <s:Detail> | |
| <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="995" Machine="192.168.56.10"> | |
| <f:Message>The I/O operation has been aborted because of either a thread exit or an application request. </f:Message> | |
| </f:WSManFault> | |
| </s:Detail> | |
| </s:Fault> | |
| </s:Body> | |
| </s:Envelope> | |
| No: 505 | Time: 2020-06-17T09:55:59.233120 | Source: 192.168.56.10 | Destination: 192.168.56.15 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US"> | |
| <s:Header> | |
| <a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteResponse</a:Action> | |
| <a:MessageID>uuid:8E095740-03D9-440F-ADA1-FBDB225A5C20</a:MessageID> | |
| <p:OperationID s:mustUnderstand="false">uuid:D40E8931-D63F-4726-A209-41C09D417D73</p:OperationID> | |
| <p:SequenceId>1</p:SequenceId> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <a:RelatesTo>uuid:B107343F-C104-4F86-AF92-DB4211042668</a:RelatesTo> | |
| </s:Header> | |
| <s:Body/> | |
| </s:Envelope> | |
| No: 516 | Time: 2020-06-17T09:55:59.240583 | Source: 192.168.56.15 | Destination: 192.168.56.10 | |
| <?xml version="1.0" ?> | |
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> | |
| <s:Header> | |
| <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To> | |
| <w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/FullDuplex</w:ResourceURI> | |
| <a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/End</a:Action> | |
| <a:MessageID>uuid:7AD298D1-EFCD-48D3-B894-F5B08E8241C8</a:MessageID> | |
| <p:OperationID>uuid:D40E8931-D63F-4726-A209-41C09D417D73</p:OperationID> | |
| </s:Header> | |
| <s:Body/> | |
| </s:Envelope> |
hello, sorry for digging this script out, but somehow the script failed to parse some of the packets from pyshark
Traceback (most recent call last):
File "<redacted>\winrm_decrypt.py", line 248, in main
file_data = cap.http.file_data.binary_value
return getattr(self.main_field, item)
File "<redacted>\Python39\site-packages\pyshark\packet\fields.py", line 64, in binary_value
return binascii.unhexlify(str_raw_value)
binascii.Error: Non-hexadecimal digit found
does this script need to have certain version of pyshark?
Honestly I’m not sure sorry.
I recommend changing the hashbang to #!/usr/bin/env python3 or specifying that it is python3 somewhere in the comments of the script - this does not run under python 2
Eh, this is a gist and Python 2 is effectively EOL, excluding some distro hold outs. If you are still trying to run things on Python 2 then I recommend you try and change that in general.
FYI: was using this for a CTF which did not work (with the same error @rareguy bumped into). Fixed that in a fork (made a proper repo this time), including the same license and reference to your gist :
Update: seems like that error was caused by wrong hash/password
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a very rough script and really just a proof of concept to see if it is possible. It only supports NTLM authentication but theoretically could be expanded for Kerberos or CredSSP auth if the secret is known.