-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Modules] - NTLMv1 - Enhanced ntlmv1 module to perform checks without admin rights #260
Conversation
@MrrRaph sorry maybe I'm not understanding, but how does this differ from the petitpotam module? The ntlmv1 module is just there to check if ntlmv1 is enabled. |
@Marshall-Hallenbeck , The ntlmv1 module is only capable to check if ntlmv1 is enabled when you got administrative rights on the targeted computer (or be able to remotely read registry keys). It completely differs from the petitpotam module, since petitpotam module is only performing a check about the remote pipe response from a try to execute a remote procedure call and petitpotam module does not check the targeted computer is effectively authenticating onto the listener host, hence, it is only used to check, barely, if a DC is vulnerable to Pre-Authenticated PetitPotam (which comes with a CVE/fix from MS: CVE-2022-26925, CVE-2021-36942...). I hope you are understanding my point and the differences between those modules and the purpose of my addition to this module :) |
For this to work you need:
I see some Process(...) in the code also :'( |
@mpgn Yes, not forcefully running as sudo but at least with CAP_NET_ADMIN to be able to listen on 445 (since it's a privileged port). |
@MrrRaph If anything this should be its own module, not re-writing the ntlmv1 module. This is essentially just auto-exploiting the petitpotam vuln, which is nice, but I think it'd be better if you just updated that module to allow for the listening server... it'd make way more sense to me. @mpgn do you agree with that? |
@Marshall-Hallenbeck I understand your point, but it was for me to be written inside this module since it is related to. But when you did not have administrative rights on the targeted computer, you will need to exploit the vulnerability (without the knowdledge that the computer will effectively answer back with NTLMv1 challenge), it's this case that I thought it could be integrated into the module to auto exploit multiple targets. |
Hi, imo this is a really cool idea! NetExec already has a smbserver integration, although as far as i know it has never been used before :D Maybe this could be a solution to the problem? Regarding the coercion, i am not sure how this should be handled properly, as there is a lot of potential with all the other coercion techniques. Maybe a solution could be as soon as #300 is merged we could 1st start the smb server in this module and 2nd chain it together with the coercion module? (Obviously with a clear description what the module does, so everybody is aware of the coercions, perhaps behind a module option) |
Agreed, closing this one :) |
The implementation of ntlmv1 module was only useable when we got admin rights or being able to perform Remote Registry operations, hence, it was not useful when you were trying to exploit/check the vulnerability before compromising the computer.
I refactored the module to perform, first, remote operations and falling back to exploitation when a
DCERPCException
is raised.The way I implemented it, will setup a SMB Server and trigger an authentication with
efs_rpc_open_file_raw
each in a new process to be able to stop them easily. However, the code is not perfect, especially when the inter-process communication is needed, I just developed it and wanted to share it in case someone has ideas to improve it.Currently, it is no more possible to run it through multiple target in parallel due to the smbserver started (which cannot be started since tcp/445 is busy).