search

jborean93 / pypsrp

PowerShell Remoting Protocol for Python
MIT License
326 stars 49 forks source link

Server-initiated session key transfer #127

Closed malthe closed 2 years ago

malthe commented 2 years ago

From the documentation on MessageType.PUBLIC_KEY_REQUEST I get the sense that the server could initiated the key exchange such that this was not required by the client.

If that's possible, how does one configure the server to do this? Alternatively, in what situations might the server send this message.

jborean93 commented 2 years ago

While the protocol was built to support this the ability to do so was removed since PowerShell v3. You need to be targeting PowerShell v2 on the target for this to happen. IIRC to kick this off just output an object that contains a secure string like so

with WSMan("server") as wsman, RunspacePool(wsman) as rp:
    ps = PowerShell(rp)
    ps.add_script('ConvertTo-SecureString -AsPlainText -Force -String "secure"')
    ps.invoke()

I think the current code will actually fail when you try this as I do not remember implementing support for it. I'm also reluctant to add support for it as v2 only comes with out of support Windows versions.

malthe commented 2 years ago

Thanks – seems like exchange_keys() is the way and in fact, it shouldn't be a very costly default.