Skip to content

Instantly share code, notes, and snippets.

@jborean93
Last active March 28, 2024 14:01
Show Gist options
  • Save jborean93/d6ff5e87f8a9f5cb215cd49826523045 to your computer and use it in GitHub Desktop.
Save jborean93/d6ff5e87f8a9f5cb215cd49826523045 to your computer and use it in GitHub Desktop.
A script that can be used to decrypt WinRM exchanges using NTLM over http
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# PYTHON_ARGCOMPLETE_OK
# Copyright: (c) 2020 Jordan Borean (@jborean93) <[email protected]>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
"""
Script that can read a Wireshark capture .pcapng for a WinRM exchange and decrypt the messages. Currently only supports
exchanges that were authenticated with NTLM. This is really a POC, a lot of things are missing like NTLMv1 support,
shorter signing keys, better error handling, etc.
"""
from __future__ import absolute_import, division, print_function
__metaclass__ = type
import argparse
import base64
import hashlib
import hmac
import os
import re
import struct
import xml.dom.minidom
import pyshark
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
try:
import argcomplete
except ImportError:
argcomplete = None
BOUNDARY_PATTERN = re.compile("boundary=[" '|\\"](.*)[' '|\\"]')
class SecurityContext:
def __init__(self, port, nt_hash):
self.port = port
self.tokens = []
self.nt_hash = nt_hash
self.complete = False
self.key_exch = False
self.session_key = None
self.sign_key_initiate = None
self.sign_key_accept = None
self.seal_handle_initiate = None
self.seal_handle_accept = None
self.__initiate_seq_no = 0
self.__accept_seq_no = 0
@property
def _initiate_seq_no(self):
val = self.__initiate_seq_no
self.__initiate_seq_no += 1
return val
@property
def _accept_seq_no(self):
val = self.__accept_seq_no
self.__accept_seq_no += 1
return val
def add_token(self, token):
self.tokens.append(token)
if token.startswith(b"NTLMSSP\x00\x03"):
# Extract the info required to build the session key
nt_challenge = self._get_auth_field(20, token)
b_domain = self._get_auth_field(28, token) or b""
b_username = self._get_auth_field(36, token) or b""
encrypted_random_session_key = self._get_auth_field(52, token)
flags = struct.unpack("<I", token[60:64])[0]
encoding = "utf-16-le" if flags & 0x00000001 else "windows-1252"
domain = b_domain.decode(encoding)
username = b_username.decode(encoding)
# Derive the session key
nt_proof_str = nt_challenge[:16]
response_key_nt = hmac_md5(self.nt_hash, (username.upper() + domain).encode("utf-16-le"))
key_exchange_key = hmac_md5(response_key_nt, nt_proof_str)
self.key_exch = bool(flags & 0x40000000)
if self.key_exch and (flags & (0x00000020 | 0x00000010)):
self.session_key = rc4k(key_exchange_key, encrypted_random_session_key)
else:
self.session_key = key_exchange_key
# Derive the signing and sealing keys
self.sign_key_initiate = signkey(self.session_key, "initiate")
self.sign_key_accept = signkey(self.session_key, "accept")
self.seal_handle_initiate = rc4init(sealkey(self.session_key, "initiate"))
self.seal_handle_accept = rc4init(sealkey(self.session_key, "accept"))
self.complete = True
def unwrap_initiate(self, data):
return self._unwrap(self.seal_handle_initiate, self.sign_key_initiate, self._initiate_seq_no, data)
def unwrap_accept(self, data):
return self._unwrap(self.seal_handle_accept, self.sign_key_accept, self._accept_seq_no, data)
def _unwrap(self, handle, sign_key, seq_no, data):
header = data[4:20]
enc_data = data[20:]
dec_data = handle.update(enc_data)
b_seq_num = struct.pack("<I", seq_no)
checksum = hmac_md5(sign_key, b_seq_num + dec_data)[:8]
if self.key_exch:
checksum = handle.update(checksum)
actual_header = b"\x01\x00\x00\x00" + checksum + b_seq_num
if header != actual_header:
raise Exception("Signature verification failed")
return dec_data
def _get_auth_field(self, offset, token):
field_len = struct.unpack("<H", token[offset : offset + 2])[0]
if field_len:
field_offset = struct.unpack("<I", token[offset + 4 : offset + 8])[0]
return token[field_offset : field_offset + field_len]
def hmac_md5(key, data):
return hmac.new(key, data, digestmod=hashlib.md5).digest()
def md4(m):
return hashlib.new("md4", m).digest()
def md5(m):
return hashlib.md5(m).digest()
def ntowfv1(password):
return md4(password.encode("utf-16-le"))
def rc4init(k):
arc4 = algorithms.ARC4(k)
return Cipher(arc4, mode=None, backend=default_backend()).encryptor()
def rc4k(k, d):
return rc4init(k).update(d)
def sealkey(session_key, usage):
direction = b"client-to-server" if usage == "initiate" else b"server-to-client"
return md5(session_key + b"session key to %s sealing key magic constant\x00" % direction)
def signkey(session_key, usage):
direction = b"client-to-server" if usage == "initiate" else b"server-to-client"
return md5(session_key + b"session key to %s signing key magic constant\x00" % direction)
def unpack_message(content_type, data):
boundary_match = BOUNDARY_PATTERN.search(content_type)
if not boundary_match:
raise ValueError("Unknown encoded payload format")
boundary = boundary_match.group(1)
# Talking to Exchange endpoints gives a non-compliant boundary that has a space between the --boundary.
# not ideal but we just need to handle it.
parts = re.compile((r"--\s*%s\r\n" % re.escape(boundary)).encode()).split(data)
parts = list(filter(None, parts))
content_type = ""
messages = []
for i in range(0, len(parts), 2):
header = parts[i].strip()
payload = parts[i + 1]
length = int(header.split(b"Length=")[1])
# remove the end MIME block if it exists
payload = re.sub((r"--\s*%s--\r\n$" % boundary).encode(), b"", payload)
wrapped_data = re.sub(r"\t?Content-Type: application/octet-stream\r?\n".encode(), b"", payload)
messages.append((length, wrapped_data))
return messages
def pretty_xml(xml_str):
dom = xml.dom.minidom.parseString(xml_str)
return dom.toprettyxml()
def main():
"""Main program entry point."""
args = parse_args()
if args.password:
nt_hash = ntowfv1(args.password)
else:
nt_hash = base64.b16decode(args.hash.upper())
if args.is_interface:
captures = pyshark.LiveCapture(
interface="virbr2",
display_filter="http and tcp.port == %d" % args.port,
)
else:
captures = pyshark.FileCapture(
os.path.expanduser(os.path.expandvars(args.path)),
display_filter="http and tcp.port == %d" % args.port,
)
contexts = []
for cap in captures:
try:
source_port = int(cap.tcp.srcport)
unique_port = source_port if source_port != args.port else int(cap.tcp.dstport)
auth_token = None
if hasattr(cap.http, "authorization"):
b64_token = cap.http.authorization.split(" ")[1]
auth_token = base64.b64decode(b64_token)
elif hasattr(cap.http, "www_authenticate"):
auth_info = cap.http.www_authenticate.split(" ")
if len(auth_info) > 1:
b64_token = auth_info[1]
auth_token = base64.b64decode(b64_token)
context = None
if auth_token:
if not auth_token.startswith(b"NTLMSSP\x00"):
continue
if auth_token.startswith(b"NTLMSSP\x00\x01"):
context = SecurityContext(unique_port, nt_hash)
contexts.append(context)
else:
context = [c for c in contexts if c.port == unique_port][-1]
if not context:
raise ValueError("Missing exisitng NTLM security context")
context.add_token(auth_token)
if hasattr(cap.http, "file_data"):
if not context:
context = next(c for c in contexts if c.port == unique_port)
if not context.complete:
raise ValueError("Cannot decode message without completed context")
file_data = cap.http.file_data.binary_value
messages = unpack_message(cap.http.content_type, file_data)
unwrap_func = context.unwrap_accept if source_port == args.port else context.unwrap_initiate
dec_msgs = []
for length, enc_data in messages:
msg = unwrap_func(enc_data)
if len(msg) != length:
raise ValueError("Message decryption failed")
dec_msgs.append(pretty_xml(msg.decode("utf-8")))
dec_msgs = "\n".join(dec_msgs)
print(
"No: %s | Time: %s | Source: %s | Destination: %s\n%s\n"
% (cap.number, cap.sniff_time.isoformat(), cap.ip.src_host, cap.ip.dst_host, dec_msgs)
)
except Exception as e:
raise Exception("Failed to process frame: %s" % cap.number) from e
def parse_args():
"""Parse and return args."""
parser = argparse.ArgumentParser(
description="Parse network captures from WireShark and decrypts the WinRM " "messages that were exchanged."
)
parser.add_argument("path", type=str, help="The path to the .pcapng file to decrypt.")
parser.add_argument(
"--is-interface",
dest="is_interface",
action="store_true",
help="The path specified is an interface name to do a live capture on.",
)
parser.add_argument(
"--port",
dest="port",
default=5985,
type=int,
help="The port to scan for the WinRM HTTP packets (default: 5985).",
)
secret = parser.add_mutually_exclusive_group()
secret.add_argument(
"-p", "--password", dest="password", help="The password for the account that was used in the authentication."
)
secret.add_argument(
"-n", "--hash", dest="hash", help="The NT hash for the account that was used in the authentication."
)
if argcomplete:
argcomplete.autocomplete(parser)
return parser.parse_args()
if __name__ == "__main__":
main()
# Produced by './winrm_decrypt.py winrm.pcapng --password VagrantPass1'
# The Wireshark exchange was just running the below in powershell.exe
#
# $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList '[email protected]', (ConvertTo-SecureString -AsPlainText -Force -String 'VagrantPass1')
# Invoke-Command -ComputerName 192.168.56.10 -ScriptBlock { hostname.exe } -Credential $cred -Authentication Negotiate
No: 433 | Time: 2020-06-17T09:55:58.987664 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:2595F3CD-7FCF-4AAF-821F-4F53761FEC3B</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:B1D933FF-BF5B-4F11-8254-56352AEE6753</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" s:mustUnderstand="true">
<w:Option Name="protocolversion" MustComply="true">2.3</w:Option>
</w:OptionSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
<rsp:CompressionType xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" s:mustUnderstand="true">xpress</rsp:CompressionType>
</s:Header>
<s:Body>
<rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" Name="WinRM2" ShellId="558FB10D-56CD-4377-B555-F1A28E2A645B">
<rsp:InputStreams>stdin pr</rsp:InputStreams>
<rsp:OutputStreams>stdout</rsp:OutputStreams>
<creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAUAAAAAAAAAAAMAAALwAgAAAAIAAQANsY9VzVZ3Q7VV8aKOKmRbAAAAAAAAAAAAAAAAAAAAAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48QkEgTj0iVGltZVpvbmUiPkFBRUFBQUQvLy8vL0FRQUFBQUFBQUFBRUFRQUFBQnhUZVhOMFpXMHVRM1Z5Y21WdWRGTjVjM1JsYlZScGJXVmFiMjVsQkFBQUFCZHRYME5oWTJobFpFUmhlV3hwWjJoMFEyaGhibWRsY3cxdFgzUnBZMnR6VDJabWMyVjBEbTFmYzNSaGJtUmhjbVJPWVcxbERtMWZaR0Y1YkdsbmFIUk9ZVzFsQXdBQkFSeFRlWE4wWlcwdVEyOXNiR1ZqZEdsdmJuTXVTR0Z6YUhSaFlteGxDUWtDQUFBQUFBQUFBQUFBQUFBS0NnUUNBQUFBSEZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SVlYTm9kR0ZpYkdVSEFBQUFDa3h2WVdSR1lXTjBiM0lIVm1WeWMybHZiZ2hEYjIxd1lYSmxjaEJJWVhOb1EyOWtaVkJ5YjNacFpHVnlDRWhoYzJoVGFYcGxCRXRsZVhNR1ZtRnNkV1Z6QUFBREF3QUZCUXNJSEZONWMzUmxiUzVEYjJ4c1pXTjBhVzl1Y3k1SlEyOXRjR0Z5WlhJa1UzbHpkR1Z0TGtOdmJHeGxZM1JwYjI1ekxrbElZWE5vUTI5a1pWQnliM1pwWkdWeUNPeFJPRDhBQUFBQUNnb0RBQUFBQ1FNQUFBQUpCQUFBQUJBREFBQUFBQUFBQUJBRUFBQUFBQUFBQUFzPTwvQkE+PC9NUz48L09iaj4AAAAAAAAABgAAAAAAAAAAAwAADpICAAAABAABAA2xj1XNVndDtVXxoo4qZFsAAAAAAAAAAAAAAAAAAAAA77u/PE9iaiBSZWZJZD0iMCI+PE1TPjxJMzIgTj0iTWluUnVuc3BhY2VzIj4xPC9JMzI+PEkzMiBOPSJNYXhSdW5zcGFjZXMiPjE8L0kzMj48T2JqIE49IlBTVGhyZWFkT3B0aW9ucyIgUmVmSWQ9IjEiPjxUTiBSZWZJZD0iMCI+PFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXMuUFNUaHJlYWRPcHRpb25zPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5EZWZhdWx0PC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMiI+PFROIFJlZklkPSIxIj48VD5TeXN0ZW0uVGhyZWFkaW5nLkFwYXJ0bWVudFN0YXRlPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5Vbmtub3duPC9Ub1N0cmluZz48STMyPjI8L0kzMj48L09iaj48T2JqIE49IkFwcGxpY2F0aW9uQXJndW1lbnRzIiBSZWZJZD0iMyI+PFROIFJlZklkPSIyIj48VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTUHJpbWl0aXZlRGljdGlvbmFyeTwvVD48VD5TeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48RENUPjxFbj48UyBOPSJLZXkiPlBTVmVyc2lvblRhYmxlPC9TPjxPYmogTj0iVmFsdWUiIFJlZklkPSI0Ij48VE5SZWYgUmVmSWQ9IjIiIC8+PERDVD48RW4+PFMgTj0iS2V5Ij5QU1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjUuMS4xNzc2My4xMDA3PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+UFNFZGl0aW9uPC9TPjxTIE49IlZhbHVlIj5EZXNrdG9wPC9TPjwvRW4+PEVuPjxTIE49IktleSI+UFNDb21wYXRpYmxlVmVyc2lvbnM8L1M+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjUiPjxUTiBSZWZJZD0iMyI+PFQ+U3lzdGVtLlZlcnNpb25bXTwvVD48VD5TeXN0ZW0uQXJyYXk8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PFZlcnNpb24+MS4wPC9WZXJzaW9uPjxWZXJzaW9uPjIuMDwvVmVyc2lvbj48VmVyc2lvbj4zLjA8L1ZlcnNpb24+PFZlcnNpb24+NC4wPC9WZXJzaW9uPjxWZXJzaW9uPjUuMDwvVmVyc2lvbj48VmVyc2lvbj41LjEuMTc3NjMuMTAwNzwvVmVyc2lvbj48L0xTVD48L09iaj48L0VuPjxFbj48UyBOPSJLZXkiPkNMUlZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjQuMC4zMDMxOS40MjAwMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPkJ1aWxkVmVyc2lvbjwvUz48VmVyc2lvbiBOPSJWYWx1ZSI+MTAuMC4xNzc2My4xMDA3PC9WZXJzaW9uPjwvRW4+PEVuPjxTIE49IktleSI+V1NNYW5TdGFja1ZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjMuMDwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlBTUmVtb3RpbmdQcm90b2NvbFZlcnNpb248L1M+PFZlcnNpb24gTj0iVmFsdWUiPjIuMzwvVmVyc2lvbj48L0VuPjxFbj48UyBOPSJLZXkiPlNlcmlhbGl6YXRpb25WZXJzaW9uPC9TPjxWZXJzaW9uIE49IlZhbHVlIj4xLjEuMC4xPC9WZXJzaW9uPjwvRW4+PC9EQ1Q+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48T2JqIE49Ikhvc3RJbmZvIiBSZWZJZD0iNiI+PE1TPjxPYmogTj0iX2hvc3REZWZhdWx0RGF0YSIgUmVmSWQ9IjciPjxNUz48T2JqIE49ImRhdGEiIFJlZklkPSI4Ij48VE4gUmVmSWQ9IjQiPjxUPlN5c3RlbS5Db2xsZWN0aW9ucy5IYXNodGFibGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxEQ1Q+PEVuPjxJMzIgTj0iS2V5Ij45PC9JMzI+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjkiPjxNUz48UyBOPSJUIj5TeXN0ZW0uU3RyaW5nPC9TPjxTIE49IlYiPkFkbWluaXN0cmF0b3I6IFdpbmRvd3MgUG93ZXJTaGVsbDwvUz48L01TPjwvT2JqPjwvRW4+PEVuPjxJMzIgTj0iS2V5Ij44PC9JMzI+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjEwIj48TVM+PFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+PE9iaiBOPSJWIiBSZWZJZD0iMTEiPjxNUz48STMyIE49IndpZHRoIj4yMzk8L0kzMj48STMyIE49ImhlaWdodCI+OTE8L0kzMj48L01TPjwvT2JqPjwvTVM+PC9PYmo+PC9Fbj48RW4+PEkzMiBOPSJLZXkiPjc8L0kzMj48T2JqIE49IlZhbHVlIiBSZWZJZD0iMTIiPjxNUz48UyBOPSJUIj5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkhvc3QuU2l6ZTwvUz48T2JqIE49IlYiIFJlZklkPSIxMyI+PE1TPjxJMzIgTj0id2lkdGgiPjEyMDwvSTMyPjxJMzIgTj0iaGVpZ2h0Ij45MTwvSTMyPjwvTVM+PC9PYmo+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+NjwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIxNCI+PE1TPjxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5TaXplPC9TPjxPYmogTj0iViIgUmVmSWQ9IjE1Ij48TVM+PEkzMiBOPSJ3aWR0aCI+MTIwPC9JMzI+PEkzMiBOPSJoZWlnaHQiPjUwPC9JMzI+PC9NUz48L09iaj48L01TPjwvT2JqPjwvRW4+PEVuPjxJMzIgTj0iS2V5Ij41PC9JMzI+PE9iaiBOPSJWYWx1ZSIgUmVmSWQ9IjE2Ij48TVM+PFMgTj0iVCI+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5Ib3N0LlNpemU8L1M+PE9iaiBOPSJWIiBSZWZJZD0iMTciPjxNUz48STMyIE49IndpZHRoIj4xMjA8L0kzMj48STMyIE49ImhlaWdodCI+NjAwMDwvSTMyPjwvTVM+PC9PYmo+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+NDwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIxOCI+PE1TPjxTIE49IlQiPlN5c3RlbS5JbnQzMjwvUz48STMyIE49IlYiPjI1PC9JMzI+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+MzwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIxOSI+PE1TPjxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz48T2JqIE49IlYiIFJlZklkPSIyMCI+PE1TPjxJMzIgTj0ieCI+MDwvSTMyPjxJMzIgTj0ieSI+MDwvSTMyPjwvTVM+PC9PYmo+PC9NUz48L09iaj48L0VuPjxFbj48STMyIE49IktleSI+MjwvSTMyPjxPYmogTj0iVmFsdWUiIFJlZklkPSIyMSI+PE1TPjxTIE49IlQiPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSG9zdC5Db29yZGluYXRlczwvUz48T2JqIE49IlYiIFJlZklkPSIyMiI+PE1TPjxJMzIgTj0ieCI+MDwvSTMyPjxJMzIgTj0ieSI+MTc8L0kzMj48L01TPjwvT2JqPjwvTVM+PC9PYmo+PC9Fbj48RW4+PEkzMiBOPSJLZXkiPjE8L0kzMj48T2JqIE49IlZhbHVlIiBSZWZJZD0iMjMiPjxNUz48UyBOPSJUIj5TeXN0ZW0uQ29uc29sZUNvbG9yPC9TPjxJMzIgTj0iViI+MTwvSTMyPjwvTVM+PC9PYmo+PC9Fbj48RW4+PEkzMiBOPSJLZXkiPjA8L0kzMj48T2JqIE49IlZhbHVlIiBSZWZJZD0iMjQiPjxNUz48UyBOPSJUIj5TeXN0ZW0uQ29uc29sZUNvbG9yPC9TPjxJMzIgTj0iViI+NjwvSTMyPjwvTVM+PC9PYmo+PC9Fbj48L0RDVD48L09iaj48L01TPjwvT2JqPjxCIE49Il9pc0hvc3ROdWxsIj5mYWxzZTwvQj48QiBOPSJfaXNIb3N0VUlOdWxsIj5mYWxzZTwvQj48QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj5mYWxzZTwvQj48QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij5mYWxzZTwvQj48L01TPjwvT2JqPjwvTVM+PC9PYmo+</creationXml>
</rsp:Shell>
</s:Body>
</s:Envelope>
No: 442 | Time: 2020-06-17T09:55:59.073794 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action>
<a:MessageID>uuid:5C9A431C-ED94-4014-BC63-2194ADDA7946</a:MessageID>
<p:OperationID s:mustUnderstand="false">uuid:B1D933FF-BF5B-4F11-8254-56352AEE6753</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:2595F3CD-7FCF-4AAF-821F-4F53761FEC3B</a:RelatesTo>
</s:Header>
<s:Body>
<x:ResourceCreated>
<a:Address>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:Address>
<a:ReferenceParameters>
<w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet>
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
</a:ReferenceParameters>
</x:ResourceCreated>
<rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">
<rsp:ShellId>558FB10D-56CD-4377-B555-F1A28E2A645B</rsp:ShellId>
<rsp:Name>WinRM2</rsp:Name>
<rsp:ResourceUri>http://schemas.microsoft.com/powershell/Microsoft.PowerShell</rsp:ResourceUri>
<rsp:Owner>DOMAIN\vagrant-domain</rsp:Owner>
<rsp:ClientIP>192.168.56.15</rsp:ClientIP>
<rsp:ProcessId>3728</rsp:ProcessId>
<rsp:IdleTimeOut>PT7200.000S</rsp:IdleTimeOut>
<rsp:InputStreams>stdin pr</rsp:InputStreams>
<rsp:OutputStreams>stdout</rsp:OutputStreams>
<rsp:MaxIdleTimeOut>PT2147483.647S</rsp:MaxIdleTimeOut>
<rsp:Locale>en-US</rsp:Locale>
<rsp:DataLocale>en-US</rsp:DataLocale>
<rsp:CompressionMode>XpressCompression</rsp:CompressionMode>
<rsp:ProfileLoaded>Yes</rsp:ProfileLoaded>
<rsp:Encoding>UTF8</rsp:Encoding>
<rsp:BufferMode>Block</rsp:BufferMode>
<rsp:State>Connected</rsp:State>
<rsp:ShellRunTime>P0DT0H0M0S</rsp:ShellRunTime>
<rsp:ShellInactivity>P0DT0H0M0S</rsp:ShellInactivity>
</rsp:Shell>
</s:Body>
</s:Envelope>
No: 450 | Time: 2020-06-17T09:55:59.081721 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:B34C549C-309A-4955-93B7-E6FF221F5071</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:8B44178E-4A98-4FAA-B659-AACAE48023FC</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:SelectorSet>
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option>
</w:OptionSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0">
<rsp:DesiredStream>stdout</rsp:DesiredStream>
</rsp:Receive>
</s:Body>
</s:Envelope>
No: 452 | Time: 2020-06-17T09:55:59.136652 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action>
<a:MessageID>uuid:3ABBEABD-2C34-4A73-A4A7-313383182C1A</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<p:OperationID s:mustUnderstand="false">uuid:8B44178E-4A98-4FAA-B659-AACAE48023FC</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:RelatesTo>uuid:B34C549C-309A-4955-93B7-E6FF221F5071</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:ReceiveResponse>
<rsp:Stream Name="stdout">3gDeAAAAAAAAAAABAAAAAAAAAAADAAAAygEAAAACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADvu788T2JqIFJlZklkPSIwIj48TVM+PFZlcnNpb24gTj0icHJvdG9jb2x2ZXJzaW9uIj4yLjM8L1ZlcnNpb24+PFZlcnNpb24gTj0iUFNWZXJzaW9uIj4yLjA8L1ZlcnNpb24+PFZlcnNpb24gTj0iU2VyaWFsaXphdGlvblZlcnNpb24iPjEuMS4wLjE8L1ZlcnNpb24+PC9NUz48L09iaj4=</rsp:Stream>
<rsp:Stream Name="stdout">7AUBA5eYkACQAJAACQAAAAAAAAAIBgAAAAkAZmZnhwCJAIYGcGeHAImQeIcHV3eXAICQAFB3VnhYeGVVB2Z1mHAJAAAAAAAAAAAAmQAAAAAAAAAAAAkAAAAAAACQAJAAAJAAkAAAAAAAAJAAAAAAAAkAAAAAAAAAAAAAkJAAAAAAAAAACZkAAAAJAAAAAAAAAAAAAHgAAAAAAAAAlwB4AAAAAAB3B5AACQAAcIYHlpAJkACAh5cHiZAAkGl3mAAACQkAcHeZcJAAkABwBwgAAAAJCYAACAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADpgdzOHD0Q+B46dU7RU+fp6UD7d/yyO3N4TPkl3bujzvU61d/w5Zb4m9aftVskjBog6QuaGK3ZC/o4Q0hEo5yDjBOQxfbYccIJRYfCyrnpOutR/WRweXBTaeLBGGcooYnoFKTDNXNEdAJk7eDjDBTbzlFhsJpuSsll+BCDs4IjbgvWJ5vSDOIL5zsVXUqUdVSK1lXFVaYG1p0GU3F4QYiNITSLkH4lS2wwD6QkFyQJ2LgcR3y9d4cq0b42RfCU1Bzvd7ssHCshEyR2N2Gi8ZTLjLivoi53sHiRFnW4Siy+TIADbhPFDPeV7+LoL/Ox8y00I2wc6tFg34amWXo+QV1pA3Y371grkiLoKqJXQlRFV1WqqjzJJyzZtAU5HqZbi1lFw5QTGTLlbzWDAxdH+vWht9ty3TCKVwNt7V/G6sl19zj7Pb0Nr8O2If9rXB/8BdX3VFHX/xSrGjYYW5kKTQNo0wNsWgN8rAVSRQavvsZyUGUb/qsx5SWL/mU3/Y9gmIoKqqmKpqAwmqZGfwq4cKgSnciQwcsFfbgTBRWOBlwEOFTsUDcDB3jqDBkPf/UPqAUgk0QSAY7RzzLZkGmOI8Z9zigYBTThNgENkDC8fQPH5BVmvpwpBf4cJahJxzPLEcoH5Ebb7h9OvHlgUoNlLtgPRSzG9V/wUZFindNal3aA8wAA</rsp:Stream>
</rsp:ReceiveResponse>
</s:Body>
</s:Envelope>
No: 455 | Time: 2020-06-17T09:55:59.143039 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:E89A80D3-CB67-4F53-97FC-917D5C644074</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:F0FA2B3C-CD37-4B20-B053-B49C4F4C3C6E</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:SelectorSet>
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option>
</w:OptionSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0">
<rsp:DesiredStream>stdout</rsp:DesiredStream>
</rsp:Receive>
</s:Body>
</s:Envelope>
No: 457 | Time: 2020-06-17T09:55:59.143611 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action>
<a:MessageID>uuid:C99E58C5-0452-4493-B92A-94FFB091B82D</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<p:OperationID s:mustUnderstand="false">uuid:F0FA2B3C-CD37-4B20-B053-B49C4F4C3C6E</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:RelatesTo>uuid:E89A80D3-CB67-4F53-97FC-917D5C644074</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:ReceiveResponse>
<rsp:Stream Name="stdout">ewB7AAAAAAAAAAADAAAAAAAAAAADAAAAZwEAAAAFEAIADbGPVc1Wd0O1VfGijipkWwAAAAAAAAAAAAAAAAAAAADvu788T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJSdW5zcGFjZVN0YXRlIj4yPC9JMzI+PC9NUz48L09iaj4=</rsp:Stream>
</rsp:ReceiveResponse>
</s:Body>
</s:Envelope>
No: 460 | Time: 2020-06-17T09:55:59.147755 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:1B9B2711-2E52-43F5-B4F4-D01490EEB68C</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:SelectorSet>
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<w:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">TRUE</w:Option>
</w:OptionSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0">
<rsp:DesiredStream>stdout</rsp:DesiredStream>
</rsp:Receive>
</s:Body>
</s:Envelope>
No: 463 | Time: 2020-06-17T09:55:59.147931 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:29904F44-FFDA-40F9-8C04-98B58AF10186</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:FDD9FD03-1A31-4EF0-8F94-6565E4D3A27F</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:CommandLine xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="A83C975E-C552-492F-AC78-51FDCC665500">
<rsp:Command>__Set-PSDebugMode</rsp:Command>
<rsp:Arguments>AAAAAAAAAAcAAAAAAAAAAAMAAAmbAgAAAAYQAgANsY9VzVZ3Q7VV8aKOKmRbXpc8qFLFL0mseFH9zGZVAO+7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IlBvd2VyU2hlbGwiIFJlZklkPSIxIj48TVM+PE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+PFROIFJlZklkPSIwIj48VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PE9iaiBSZWZJZD0iMyI+PE1TPjxTIE49IkNtZCI+X19TZXQtUFNEZWJ1Z01vZGU8L1M+PEIgTj0iSXNTY3JpcHQiPmZhbHNlPC9CPjxOaWwgTj0iVXNlTG9jYWxTY29wZSIgLz48T2JqIE49Ik1lcmdlTXlSZXN1bHQiIFJlZklkPSI0Ij48VE4gUmVmSWQ9IjEiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzLlBpcGVsaW5lUmVzdWx0VHlwZXM8L1Q+PFQ+U3lzdGVtLkVudW08L1Q+PFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD48VD5TeXN0ZW0uT2JqZWN0PC9UPjwvVE4+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VUb1Jlc3VsdCIgUmVmSWQ9IjUiPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZVByZXZpb3VzUmVzdWx0cyIgUmVmSWQ9IjYiPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZUVycm9yIiBSZWZJZD0iNyI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlV2FybmluZyIgUmVmSWQ9IjgiPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZVZlcmJvc2UiIFJlZklkPSI5Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VEZWJ1ZyIgUmVmSWQ9IjEwIj48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VJbmZvcm1hdGlvbiIgUmVmSWQ9IjExIj48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iQXJncyIgUmVmSWQ9IjEyIj48VE5SZWYgUmVmSWQ9IjAiIC8+PExTVD48T2JqIFJlZklkPSIxMyI+PE1TPjxTIE49Ik4iPk1vZGU8L1M+PE9iaiBOPSJWIiBSZWZJZD0iMTQiPjxUTiBSZWZJZD0iMiI+PFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5EZWJ1Z01vZGVzPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5Mb2NhbFNjcmlwdCwgUmVtb3RlU2NyaXB0PC9Ub1N0cmluZz48STMyPjY8L0kzMj48L09iaj48L01TPjwvT2JqPjwvTFNUPjwvT2JqPjwvTVM+PC9PYmo+PC9MU1Q+PC9PYmo+PEIgTj0iSXNOZXN0ZWQiPmZhbHNlPC9CPjxOaWwgTj0iSGlzdG9yeSIgLz48QiBOPSJSZWRpcmVjdFNoZWxsRXJyb3JPdXRwdXRQaXBlIj50cnVlPC9CPjwvTVM+PC9PYmo+PEIgTj0iTm9JbnB1dCI+dHJ1ZTwvQj48T2JqIE49IkFwYXJ0bWVudFN0YXRlIiBSZWZJZD0iMTUiPjxUTiBSZWZJZD0iMyI+PFQ+U3lzdGVtLlRocmVhZGluZy5BcGFydG1lbnRTdGF0ZTwvVD48VD5TeXN0ZW0uRW51bTwvVD48VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+VW5rbm93bjwvVG9TdHJpbmc+PEkzMj4yPC9JMzI+PC9PYmo+PE9iaiBOPSJSZW1vdGVTdHJlYW1PcHRpb25zIiBSZWZJZD0iMTYiPjxUTiBSZWZJZD0iNCI+PFQ+U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SZW1vdGVTdHJlYW1PcHRpb25zPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5BZGRJbnZvY2F0aW9uSW5mbzwvVG9TdHJpbmc+PEkzMj4xNTwvSTMyPjwvT2JqPjxCIE49IkFkZFRvSGlzdG9yeSI+ZmFsc2U8L0I+PE9iaiBOPSJIb3N0SW5mbyIgUmVmSWQ9IjE3Ij48TVM+PEIgTj0iX2lzSG9zdE51bGwiPnRydWU8L0I+PEIgTj0iX2lzSG9zdFVJTnVsbCI+dHJ1ZTwvQj48QiBOPSJfaXNIb3N0UmF3VUlOdWxsIj50cnVlPC9CPjxCIE49Il91c2VSdW5zcGFjZUhvc3QiPnRydWU8L0I+PC9NUz48L09iaj48QiBOPSJJc05lc3RlZCI+ZmFsc2U8L0I+PC9NUz48L09iaj4=</rsp:Arguments>
</rsp:CommandLine>
</s:Body>
</s:Envelope>
No: 465 | Time: 2020-06-17T09:55:59.149289 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action>
<a:MessageID>uuid:96742BE4-89C1-48CB-85B7-2FBEF32A26F8</a:MessageID>
<p:OperationID s:mustUnderstand="false">uuid:FDD9FD03-1A31-4EF0-8F94-6565E4D3A27F</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:29904F44-FFDA-40F9-8C04-98B58AF10186</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:CommandResponse>
<rsp:CommandId>A83C975E-C552-492F-AC78-51FDCC665500</rsp:CommandId>
</rsp:CommandResponse>
</s:Body>
</s:Envelope>
No: 472 | Time: 2020-06-17T09:55:59.153543 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:3E492E94-8AD4-4314-A779-FDAC6B14717D</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:7D6EAD8E-4A35-4F5F-8A51-4DB2C589B09E</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0">
<rsp:DesiredStream CommandId="A83C975E-C552-492F-AC78-51FDCC665500">stdout</rsp:DesiredStream>
</rsp:Receive>
</s:Body>
</s:Envelope>
No: 474 | Time: 2020-06-17T09:55:59.154999 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action>
<a:MessageID>uuid:4EC0ACC6-745A-41BD-BB9A-F89EE15BC6BC</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<p:OperationID s:mustUnderstand="false">uuid:7D6EAD8E-4A35-4F5F-8A51-4DB2C589B09E</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:RelatesTo>uuid:3E492E94-8AD4-4314-A779-FDAC6B14717D</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:ReceiveResponse>
<rsp:Stream Name="stdout" CommandId="A83C975E-C552-492F-AC78-51FDCC665500">ewB7AAAAAAAAAAAEAAAAAAAAAAADAAAAZwEAAAAGEAQADbGPVc1Wd0O1VfGijipkW16XPKhSxS9JrHhR/cxmVQDvu788T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJQaXBlbGluZVN0YXRlIj40PC9JMzI+PC9NUz48L09iaj4=</rsp:Stream>
<rsp:CommandState CommandId="A83C975E-C552-492F-AC78-51FDCC665500" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done">
<rsp:ExitCode>0</rsp:ExitCode>
</rsp:CommandState>
</rsp:ReceiveResponse>
</s:Body>
</s:Envelope>
No: 477 | Time: 2020-06-17T09:55:59.158435 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:57EA35DC-AF07-4D4B-A755-12B3F549EF80</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:4D136523-94CF-4219-989A-279FB46D777C</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OperationTimeout>PT60.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:Signal xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="A83C975E-C552-492F-AC78-51FDCC665500">
<rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code>
</rsp:Signal>
</s:Body>
</s:Envelope>
No: 479 | Time: 2020-06-17T09:55:59.159444 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action>
<a:MessageID>uuid:4E12E017-DCE7-4A86-8F1A-47D1FA7A6FAA</a:MessageID>
<p:OperationID s:mustUnderstand="false">uuid:4D136523-94CF-4219-989A-279FB46D777C</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:57EA35DC-AF07-4D4B-A755-12B3F549EF80</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:SignalResponse/>
</s:Body>
</s:Envelope>
No: 481 | Time: 2020-06-17T09:55:59.163963 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:83E39A98-0D9D-4035-B0A1-627AE99C8A01</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:505C5B47-734C-4111-B0D9-5ADE2E736E6F</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:CommandLine xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">
<rsp:Command>hostname.exe</rsp:Command>
<rsp:Arguments>AAAAAAAAAAgAAAAAAAAAAAMAAAh8AgAAAAYQAgANsY9VzVZ3Q7VV8aKOKmRbV92jJFrsq0uXzOfJXOAXR++7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqIE49IlBvd2VyU2hlbGwiIFJlZklkPSIxIj48TVM+PE9iaiBOPSJDbWRzIiBSZWZJZD0iMiI+PFROIFJlZklkPSIwIj48VD5TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUFNPYmplY3QsIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24sIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1XV08L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxMU1Q+PE9iaiBSZWZJZD0iMyI+PE1TPjxTIE49IkNtZCI+aG9zdG5hbWUuZXhlPC9TPjxCIE49IklzU2NyaXB0Ij5mYWxzZTwvQj48TmlsIE49IlVzZUxvY2FsU2NvcGUiIC8+PE9iaiBOPSJNZXJnZU15UmVzdWx0IiBSZWZJZD0iNCI+PFROIFJlZklkPSIxIj48VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QaXBlbGluZVJlc3VsdFR5cGVzPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlVG9SZXN1bHQiIFJlZklkPSI1Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VQcmV2aW91c1Jlc3VsdHMiIFJlZklkPSI2Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VFcnJvciIgUmVmSWQ9IjciPjxUTlJlZiBSZWZJZD0iMSIgLz48VG9TdHJpbmc+Tm9uZTwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PE9iaiBOPSJNZXJnZVdhcm5pbmciIFJlZklkPSI4Ij48VE5SZWYgUmVmSWQ9IjEiIC8+PFRvU3RyaW5nPk5vbmU8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogTj0iTWVyZ2VWZXJib3NlIiBSZWZJZD0iOSI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlRGVidWciIFJlZklkPSIxMCI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49Ik1lcmdlSW5mb3JtYXRpb24iIFJlZklkPSIxMSI+PFROUmVmIFJlZklkPSIxIiAvPjxUb1N0cmluZz5Ob25lPC9Ub1N0cmluZz48STMyPjA8L0kzMj48L09iaj48T2JqIE49IkFyZ3MiIFJlZklkPSIxMiI+PFROUmVmIFJlZklkPSIwIiAvPjxMU1QgLz48L09iaj48L01TPjwvT2JqPjwvTFNUPjwvT2JqPjxCIE49IklzTmVzdGVkIj5mYWxzZTwvQj48TmlsIE49Ikhpc3RvcnkiIC8+PEIgTj0iUmVkaXJlY3RTaGVsbEVycm9yT3V0cHV0UGlwZSI+dHJ1ZTwvQj48L01TPjwvT2JqPjxCIE49Ik5vSW5wdXQiPnRydWU8L0I+PE9iaiBOPSJBcGFydG1lbnRTdGF0ZSIgUmVmSWQ9IjEzIj48VE4gUmVmSWQ9IjIiPjxUPlN5c3RlbS5UaHJlYWRpbmcuQXBhcnRtZW50U3RhdGU8L1Q+PFQ+U3lzdGVtLkVudW08L1Q+PFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD48VD5TeXN0ZW0uT2JqZWN0PC9UPjwvVE4+PFRvU3RyaW5nPlVua25vd248L1RvU3RyaW5nPjxJMzI+MjwvSTMyPjwvT2JqPjxPYmogTj0iUmVtb3RlU3RyZWFtT3B0aW9ucyIgUmVmSWQ9IjE0Ij48VE4gUmVmSWQ9IjMiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUmVtb3RlU3RyZWFtT3B0aW9uczwvVD48VD5TeXN0ZW0uRW51bTwvVD48VD5TeXN0ZW0uVmFsdWVUeXBlPC9UPjxUPlN5c3RlbS5PYmplY3Q8L1Q+PC9UTj48VG9TdHJpbmc+MDwvVG9TdHJpbmc+PEkzMj4wPC9JMzI+PC9PYmo+PEIgTj0iQWRkVG9IaXN0b3J5Ij50cnVlPC9CPjxPYmogTj0iSG9zdEluZm8iIFJlZklkPSIxNSI+PE1TPjxCIE49Il9pc0hvc3ROdWxsIj50cnVlPC9CPjxCIE49Il9pc0hvc3RVSU51bGwiPnRydWU8L0I+PEIgTj0iX2lzSG9zdFJhd1VJTnVsbCI+dHJ1ZTwvQj48QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij50cnVlPC9CPjwvTVM+PC9PYmo+PEIgTj0iSXNOZXN0ZWQiPmZhbHNlPC9CPjwvTVM+PC9PYmo+</rsp:Arguments>
</rsp:CommandLine>
</s:Body>
</s:Envelope>
No: 483 | Time: 2020-06-17T09:55:59.165128 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandResponse</a:Action>
<a:MessageID>uuid:33A9C485-92AA-49EA-A7EA-42509B473BAD</a:MessageID>
<p:OperationID s:mustUnderstand="false">uuid:505C5B47-734C-4111-B0D9-5ADE2E736E6F</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:83E39A98-0D9D-4035-B0A1-627AE99C8A01</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:CommandResponse>
<rsp:CommandId>24A3DD57-EC5A-4BAB-97CC-E7C95CE01747</rsp:CommandId>
</rsp:CommandResponse>
</s:Body>
</s:Envelope>
No: 485 | Time: 2020-06-17T09:55:59.165734 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:E58D741B-13D7-4873-B917-EB2D0F448CAE</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:B2AF0AEE-CF60-4A9D-9C42-C46345606A67</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OperationTimeout>PT180.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:Receive xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" SequenceId="0">
<rsp:DesiredStream CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">stdout</rsp:DesiredStream>
</rsp:Receive>
</s:Body>
</s:Envelope>
No: 488 | Time: 2020-06-17T09:55:59.227710 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/ReceiveResponse</a:Action>
<a:MessageID>uuid:96C70707-29B2-426D-8FF7-030F57D74158</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<p:OperationID s:mustUnderstand="false">uuid:B2AF0AEE-CF60-4A9D-9C42-C46345606A67</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:RelatesTo>uuid:E58D741B-13D7-4873-B917-EB2D0F448CAE</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:ReceiveResponse>
<rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">GQIWAoeIiAAAAIAABwAAgAAAAAAGBggAAAiAZneIAAAAAHYFcHCIgHCAcHYHZ3aHAIgIAFBnRndQB2ZWBlVliHAAAAAAAAAAAAAAiAAAAIAAAAAAAIgAAACAAACAAIAAAIAAgAAAAACAAIgAAAAAAAAAgAAIAACAAAAIgIAAAAAAAAAACIgAAAAAAAAAAAAAAAAAAAcAAAAAAAAACACAAAAAAACHB4AAAIAAAIYHAACHAACAiAAHCIAAAABmCHAACAAAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfkWyRxu4jkSMXwBOTySOPgyenbl013Jk7NXY3G7PU1t7n1cvf6tzT6eXX5Mro69Lj4o1aKWsKU9vznJjEpAa1swQvCTkxIK0Em6RFSMX4wEfMJKxb6cCBVTpkypCrQsccUFkUaVg/P9o729NSTFaWYOOEPRANQB/RDvqIVwgSk7JXHLkE9QzoeWBfFA4DpO/Sr4e0f+XmbcDLtuWA8ELNxTn3dQEBMXyE39osE3yiw1pcXxlHx5HZaDEH6KBUhzcdYDH4sEmuIAz+kVJgi3PABtNmikz+Vlnbb+hF9B2jKgByTPeBQwBdpFlF5F6ElfkbWGg3XTxyO9LDolghdHeco0LEbh7uIY+Mv0IK3uD/RquRtYB2AAA=</rsp:Stream>
<rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">pAOdApeQCQkAAJAAkAAAkAAAAAAGBQkAAAmAZnd3CAkAAIYFcHCZkGmQeHcHZ4aIAJkJAFBoRndZCFZWBlVlmXAAAAAAAAAAAAAAmQkAAJAAAAAAAJkAAACQAACQAJAAAJAAkAAAAACQAJkAAAAAAAAAkAAJAACQAAAJkJAAAAAAAAAACZkAAAAAAAAJAAAAAAAAAAcAAAAAAAAAB5CZAAAAAACXCIAJAIAAAIaXkAmXAAAAhgiZCZAAAABXmICYCQAAAHgHgJkAAAAAkAAIAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADrnd3hXD1nH8CvZ7x4cbhTzp13tj+LU6mdu+zoefV0EDw0rn0/P9vNduc+PAdfyUfmxvt59t3o6zHpLWQGOadgbYh01blty8m2Yp9ghyhClfZ8vtrAI+ybi2IK58ES3uqt/YbnxO0MqFLNS0RgYEyJkdMxR1MUzcQxkFjU+61zSJVOBVWPdJAD0zZ/2IrLakN5lpAhuR5qGH29IB1afdNor9XdySZSeogqCMKCbQ+UAM3fbUhUykVHL3XaBg+YqN3t9lxRu806W/k+PFTNMCmeZukQmplLT6UP6HPQKCHTtK5kt2s0lhNKd2/H2OXsnCm4q+roU8GOmVWZQ3CAsIuMwWIEj4KQtFgxdKhomEogkW3LR0tRKdn6BMirPQc7orpEKoHyoC+tsYaQDMYs1sA6IqkRELwqjGAClK9htsLwCcu/S3mufdflgQDKD4c6cDSDglcIUH6u46n+4mX+0chSusG+X90sBLK8nQ9rELiZhpvi26c9MPNfoubuLntK8L7zeudcCHEMisxDxUL/Khqcg8dr8jtZ0z3+4gCQAAA=</rsp:Stream>
<rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">SgBKAAAAAAAAAAAHAAAAAAAAAAADAAAANgEAAAAEEAQADbGPVc1Wd0O1VfGijipkW1fdoyRa7KtLl8znyVzgF0fvu788Uz5EQzAxPC9TPg==</rsp:Stream>
<rsp:Stream Name="stdout" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">ewB7AAAAAAAAAAAIAAAAAAAAAAADAAAAZwEAAAAGEAQADbGPVc1Wd0O1VfGijipkW1fdoyRa7KtLl8znyVzgF0fvu788T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJQaXBlbGluZVN0YXRlIj40PC9JMzI+PC9NUz48L09iaj4=</rsp:Stream>
<rsp:CommandState CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747" State="http://schemas.microsoft.com/wbem/wsman/1/windows/shell/CommandState/Done">
<rsp:ExitCode>0</rsp:ExitCode>
</rsp:CommandState>
</rsp:ReceiveResponse>
</s:Body>
</s:Envelope>
No: 491 | Time: 2020-06-17T09:55:59.230493 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:D35B51DE-F473-4E89-B1BD-918E2EE654D5</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:C97884B3-1448-4F74-8DA8-A9C0408ECA45</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OperationTimeout>PT60.000S</w:OperationTimeout>
</s:Header>
<s:Body>
<rsp:Signal xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="24A3DD57-EC5A-4BAB-97CC-E7C95CE01747">
<rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code>
</rsp:Signal>
</s:Body>
</s:Envelope>
No: 493 | Time: 2020-06-17T09:55:59.231205 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/SignalResponse</a:Action>
<a:MessageID>uuid:E98C8069-93FB-4307-B7AD-98CA428DEC51</a:MessageID>
<p:OperationID s:mustUnderstand="false">uuid:C97884B3-1448-4F74-8DA8-A9C0408ECA45</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:D35B51DE-F473-4E89-B1BD-918E2EE654D5</a:RelatesTo>
</s:Header>
<s:Body>
<rsp:SignalResponse/>
</s:Body>
</s:Envelope>
No: 496 | Time: 2020-06-17T09:55:59.232122 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://192.168.56.10:5985/wsman?PSVersion=5.1.17763.1007</a:To>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
<a:MessageID>uuid:B107343F-C104-4F86-AF92-DB4211042668</a:MessageID>
<w:Locale xml:lang="en-US" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-US" s:mustUnderstand="false"/>
<p:SessionId s:mustUnderstand="false">uuid:F5305557-5C06-49E4-8A36-1A26A8DCB91B</p:SessionId>
<p:OperationID s:mustUnderstand="false">uuid:D40E8931-D63F-4726-A209-41C09D417D73</p:OperationID>
<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.PowerShell</w:ResourceURI>
<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<w:Selector Name="ShellId">558FB10D-56CD-4377-B555-F1A28E2A645B</w:Selector>
</w:SelectorSet>
<w:OperationTimeout>PT60.000S</w:OperationTimeout>
</s:Header>
<s:Body/>
</s:Envelope>
No: 501 | Time: 2020-06-17T09:55:59.232929 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/FullDuplex</w:ResourceURI>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/Cancel</a:Action>
<a:MessageID>uuid:F1323350-117A-4590-B109-CC60C3CFC0D4</a:MessageID>
<p:OperationID>uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID>
</s:Header>
<s:Body/>
</s:Envelope>
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/FullDuplex</w:ResourceURI>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/End</a:Action>
<a:MessageID>uuid:BF473A4D-1FF7-4713-B9C5-C4FF8DEE8A93</a:MessageID>
<p:OperationID>uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID>
</s:Header>
<s:Body/>
</s:Envelope>
No: 503 | Time: 2020-06-17T09:55:59.232977 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action>
<a:MessageID>uuid:BD37AB1A-09D4-4A6C-B3B3-9D9B5293E2F1</a:MessageID>
<p:OperationID s:mustUnderstand="false">uuid:7E82B86B-8428-41F3-BFBB-A02B38069E50</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:1B9B2711-2E52-43F5-B4F4-D01490EEB68C</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Receiver</s:Value>
<s:Subcode>
<s:Value>w:InternalError</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-US">The I/O operation has been aborted because of either a thread exit or an application request. </s:Text>
</s:Reason>
<s:Detail>
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="995" Machine="192.168.56.10">
<f:Message>The I/O operation has been aborted because of either a thread exit or an application request. </f:Message>
</f:WSManFault>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>
No: 505 | Time: 2020-06-17T09:55:59.233120 | Source: 192.168.56.10 | Destination: 192.168.56.15
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/DeleteResponse</a:Action>
<a:MessageID>uuid:8E095740-03D9-440F-ADA1-FBDB225A5C20</a:MessageID>
<p:OperationID s:mustUnderstand="false">uuid:D40E8931-D63F-4726-A209-41C09D417D73</p:OperationID>
<p:SequenceId>1</p:SequenceId>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:B107343F-C104-4F86-AF92-DB4211042668</a:RelatesTo>
</s:Header>
<s:Body/>
</s:Envelope>
No: 516 | Time: 2020-06-17T09:55:59.240583 | Source: 192.168.56.15 | Destination: 192.168.56.10
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/FullDuplex</w:ResourceURI>
<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wsman/End</a:Action>
<a:MessageID>uuid:7AD298D1-EFCD-48D3-B894-F5B08E8241C8</a:MessageID>
<p:OperationID>uuid:D40E8931-D63F-4726-A209-41C09D417D73</p:OperationID>
</s:Header>
<s:Body/>
</s:Envelope>
@h4sh5
Copy link

h4sh5 commented Nov 21, 2021

FYI: was using this for a CTF which did not work (with the same error @rareguy bumped into). Fixed that in a fork (made a proper repo this time), including the same license and reference to your gist :

https://github.com/h4sh5/decrypt-winrm

@rareguy
Copy link

rareguy commented Nov 26, 2021

Update: seems like that error was caused by wrong hash/password

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment