-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementation of AD CS attack in ntlmrelayx.py #1101
Implementation of AD CS attack in ntlmrelayx.py #1101
Conversation
|
well this worked for me 👍 |
Seconding @fsacer. This worked for me on a penetration test. I had some issues with Rubeus, but the ADCS attack worked fine. I think a good extension of this would be to add the Apart from log-spam/opsec, this is a remediation papercut for penetration test customers. |
What issue did you have on Rubeus? I'm running into several issues like error 75 (KDC_ERR_CLIENT_NAME_MISMATCH) or 16 (KDC_ERR_PADATA_TYPE_NOSUPP) |
I was having KRB error 62 (KDC_ERR_CLIENT_NOT_TRUSTED) when trying to asktgt with the certificate as auth. |
Same here. Facing the UPD. It appears that the As for the |
anyone ran into this error message? AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack' got that after running: python3 ntlmrelayx.py -t http://ca01.domain.com/certsrv/certfnsh.asp -smb2support --adcs |
me too |
Make sure you've installed the patched impacket library from this commit or the fork. |
I'm running into the same issue. Here is what I ran to clone the master branch of impacket and check out the pull request from exandroiddev: git clone https://github.com/SecureAuthCorp/impacket ./impacket
cd impacket
git fetch origin pull/1101/head:ntlmrelayx-adcs-attack
git checkout ntlmrelayx-adcs-attack
cd examples
python3 ntlmrelayx.py -t http://my.victim.host/certsrv/certfnsh.asp -smb2support --adcs The output I get is:
I see that pantsman0 has mentioned:
Which I thought is what I was doing by cloning the master branch from impacket, but obviously I'm missing something. Posting something here in case anyone else ran into the same issue and figured it out so everyone can learn from it. |
@RapidWolf95 @kapshure to install the modified impacket library, you can use the following command from the root of the repository If you don't want to overwrite your system install, I would suggest setting up a virtual environment first. If you have virtualenv, you can do so with this command: The virtual environment can then be activated each time you need to use this library version by running |
Thanks @pantsman0! I feel silly now, but that was exactly it. I was trying not to overwrite the system install and somehow didn't even consider that as part of the issue. |
Does anyone recognize what is going wrong? [] HTTP server returned error code 200, treating as a successful login meanwhile petitpotam: [+] Connected! |
Tried with PetitPotam; this can result in many certs being created for the same user. It'd be nice if it would track the user so that multiple certs aren't issued for the same user, or if there was a one-shot mode. Along the same vein it'd be convenient to have the certificate fingerprint printed out to grease the way to cleanup issued certs. Perhaps persnickety... |
This would be a good option, reponder tracks user hashes and doesn't print out hashes for duplicate users. Something to prevent a certificate request for a previously successful user would be great utility, good opsec, and and make defender cleanup easier.
If you have the certificates in files, you can do something like this: # for f in *.pem; do openssl x509 -inform pem -in $f -noout -fingerprint SHA1; done |
Fix when cert server does not request NTLM auth
This has been implemented now. Thanks @Tw1sm . |
I had an ADCS endpoint now who didn't accept NTLM auth but asked for Netotiate:
Is there a plan to support Negotiate auth in the future? Is it even possible to relay that? Greetings |
Test with this PR #1146 @S3cur3Th1sSh1t |
@mpgn worked fine, thanks for the hint! :-) |
Hi, I've been trying this pull request on a test lab, but while the petitpotam part seems to work, the authentification to the target DC is failing.
While looking at the resulting pcap, we can see that the relayed authentication gets a 401. Here's the full pcap: ntlmx_adcs_authent_failing.zip Any idea on what could be wrong / how to debug more thoroughly ? May be it's a case where you can't relay an authentication to itself ? |
@frisch-raphael Haven't looked at the pcap but my initial thought is that I don't believe you can relay auth back to the machine you coerced it from. I'd try PetitPotam against a different DC or a workstation. |
Probably the wrong template, try "DomainController" |
@octopodpotato Did you ever find a resolution to this? I'm encountering the same problem and even with -debug flag I can't get the reason why it's failing. I'm able to invoke a response from a DC$ but it errors out here. |
The easiest way to find out the issue is printing the Webserver responses from my point of view. That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others. |
How were you capturing the responses? I'm not seeing an option in ntlmrelayx, outside of the -debug which wasn't showing anything except just limited information. Were you capturing with a pcap or did you modify ntlmrelayx to be a bit more verbose? |
You were right. I sat up a separate CA and it seems to work better. |
Edit the source code and add a print statement for the response 😉 |
I figured as much. I was in the middle of an assessment and didn't have time to go deep. Figured out my issue by using the Kerberos authentication template. But yeah I will take a look and maybe make a verbose output if the debug flag is on. |
Hi @ExAndroidDev! This is an amazing addition! Just one thing before merging, could you refactor the httpattack.py code in order to create submodules with the different HTTP attacks? In this case, we'll have a submodule HTTPattack with the adcsrelayattack. It's something similar to what is proposed in #1173 with the different rpc attacks. What do you think? Thanks!!! |
Hi @0xdeaddood , |
Another idea that I've been thinking about it supporting the I've been looking at working on this on my own time, but my work situation means I can't devote serious time to it until December. I thought I would put it out there in case anyone else is interested in working on these features. |
Hey @pantsman0 , great idea, but unfortunately I am also short on time. Hey @0xdeaddood , I have just refactored the code. Please let me know what you think. Thanks! |
Thanks a lot, @ExAndroidDev! Merging... |
Any chance you could point out where and what changes they were please? I'm no python expert unfortunately. Thanks |
In recently published AD CS research by harmj0y and tifkin_ this misconfiguration is refered as ESC8.