Kansa icon indicating copy to clipboard operation
Kansa copied to clipboard

Published 20 hours ago verified publisher icon davehull

Cannot validate argument on parameter 'Session'.

Open infosecwatchman opened this issue 5 years ago • 9 comments

I ran

PS C:\Tools\Kansa-master> ls -r *.ps1 | Unblock-File
PS C:\Tools\Kansa-master> Set-ExecutionPolicy Unrestricted
PS C:\Tools> streams -sd .\Kansa-master\ #I have SysInternals on my Path
PS C:\Tools\Kansa-master> .\kansa.ps1 -Target $env:COMPUTERNAME -ModulePath .\Modules -Verbose

But it errors out saying:

VERBOSE: Found .\Modules\Modules.conf.
VERBOSE: Running modules:
Get-PrefetchListing
Get-WMIRecentApps
Get-Netstat
Get-DNSCache
Get-ProcsWMI
Get-LogUserAssist
Get-SvcFail
Get-SvcTrigs
Get-WMIEvtFilter
Get-WMIFltConBind
Get-WMIEvtConsumer
Get-PSProfiles
Get-SchedTasks
Get-File
Get-LocalAdmins
VERBOSE: Found logging.conf
Caught: Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
Script completed with warnings or errors. See C:\Tools\Kansa-master\Output_20190313154552\Error.Log for details.

Here are the contents of the error log.

Connecting to remote server **** failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
Exit-Script function was passed an error, this may be a duplicate that wasn't previously cleared, or Kansa.ps1 has crashed.
Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

infosecwatchman avatar Mar 13 '19 19:03 infosecwatchman

  1. Did you enable PSRemoting on the target? Run 'Enable-PSRemoting -SkipNetworkProfileCheck -Force' just to make sure.
  2. Try running with the -Credential switch. '.\kansa.ps1 -Target $env:COMPUTERNAME -Credential (Get-Credential) -ModulePath .\Modules -Verbose'.

Also, you can ditch the -ModulePath parameter... Kansa will reference modules.conf automatically.

dmoore44 avatar Mar 14 '19 02:03 dmoore44

I still have the same error, even with the Get-Credential option added, and rerunning 'Enable-PSRemoting -SkipNetworkProfileCheck -Force'. I don't have to specify the computer name as long as I am running it for the local machine, right? I looked at the log, and it had my local machine's computer name, so I'm assuming it works like that. @dmoore44

infosecwatchman avatar Mar 18 '19 17:03 infosecwatchman

Alright, a few other things...

  • Kansa works by establishing remote connections with New-PSSession. New-PSSession establishes connections with remote machines via WinRM, so, by specifying a target of localhost or $env:COMPUTERNAME, you're attempting to connect to your local machine via WinRM.

  • As such, you'll need a few things: check your Windows Firewall config - you'll need to make sure there's a firewall allow rule for the WinRM service. Then make sure the WinRM service is running (Get-Service winrm)

  • Try running winrm quickconfig to configure the WinRM service.

  • Examine the output of winrm get winrm/config - is your machine's name listed as a Trusted Host?

  • The readme.md file states that Kansa should be run with an account with admin privileges - does the account you're using have the proper privileges to log on remotely?

dmoore44 avatar Mar 19 '19 15:03 dmoore44

Winrm is running and configured, I am a local administrator on the two machines I am trying to get data off of. I am looking at the trusted hosts, and my IP address is listed but not my machine name, does that make a difference? And I'm pretty sure winrm quickconfig adds the appropriate firewall rules, please correct me if I'm wrong. @dmoore44

infosecwatchman avatar Mar 19 '19 15:03 infosecwatchman

Try setting your Trusted Hosts with this command: winrm s winrm/config/client '@{TrustedHosts="*"}'

In my test environment, I have Trusted Hosts set as above and I can Kansa my local machine using $env:COMPUTERNAME. I would recommend against that in a production environment - you'd want to have the machine you intend to run Kansa from set as the Trusted Host.

In terms of troubleshooting... can you successfully connect to the machine with New-PSSession? New-PSSession -ComputerName $env:COMPUTERNAME -Credential (Get-Credential)

dmoore44 avatar Mar 19 '19 16:03 dmoore44

Didn't work, I tried setting the winrm with my computer name and by *. Here are my errors, researching the second error as well. @dmoore44

PS C:\Tools\Kansa> .\kansa.ps1 -Target $env:COMPUTERNAME -Credential (Get-Credential) -ModulePath .\Modules -Verbose

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
VERBOSE: Found .\Modules\Modules.conf.
VERBOSE: Running modules:
Get-PrefetchListing
Get-WMIRecentApps
Get-Netstat
Get-DNSCache
Get-ProcsWMI
Get-LogUserAssist
Get-SvcFail
Get-SvcTrigs
Get-WMIEvtFilter
Get-WMIFltConBind
Get-WMIEvtConsumer
Get-PSProfiles
Get-SchedTasks
Get-File
Get-LocalAdmins
VERBOSE: Found logging.conf
Caught: Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
Script completed with warnings or errors. See C:\Tools\Kansa\Output_20190319162322\Error.Log for details.
PS C:\Tools\Kansa> New-PSSession -ComputerName $env:COMPUTERNAME -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
New-PSSession : ****** Connecting to remote server ****** failed with the following error message : The
WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName $env:COMPUTERNAME -Credential (Get-Creden ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : RemoteSessionDisallowed,PSSessionOpenFailed
PS C:\Tools\Kansa>

infosecwatchman avatar Mar 20 '19 20:03 infosecwatchman

Investigate your WS-man service config...

Run Get-Item WSMan:\localhost\Shell\AllowRemoteShellAccess - if the return value is False (or anything other than True), you'll need to configure your local group policy to allow remote shell access. You can do that with GPOE by navigating to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Shell > Allow Remote Shell Access

dmoore44 avatar Mar 20 '19 20:03 dmoore44

The policy was false, great fix! Works great now, thanks!!

infosecwatchman avatar Mar 20 '19 20:03 infosecwatchman

I had similar issues when running on my own machine, but whenever i gave it a targetlist or target of another machine, all was fine. So for testing purposes (on self) the above fix helps, but for other machines this is a moot error.

Also today I noticed it doing this when I gave it one target as opposed to a list. But I have been tweaking the code like crazy just to even run it at all. So it may have been my fault.

Skwerl23 avatar Aug 14 '19 22:08 Skwerl23