As auth coercion is blowing up due to #cve-2023-23397, I've put together a quick thread about how we at @MDSecLabs have been leveraging these techniques in our red team engagements for quite some time. Its timely, but I presented much of this at @FiestaCon_RT last week 🧵
Traditionally if you wanted to abuse SMB auth coercion during a red team & over a c2, you were somewhat limited. It was however achievable using a mix of portbender, rportfwd and socks though. The main limitations were admin rights, dropping a driver and opsec of increased c2
Just over two years ago, we evolved the tradecraft around this by documenting an alternate approach using WebDAV and a number of file primitives to coerce auth mdsec.co.uk/2021/02/farmin…
We have since considerably evolved this concept, building in relaying to our tools with help from @breakfix and @_batsec_. This approach has yielded considerable success during our RT ops. Use cases include, downgrading to netNTLMv1 for easy cracking and NTLM recovery:
Relaying to LDAP, allowing you to add shadow credentials or perform RBCD. In this video a domain admin opens a folder on a share and a searchConnector triggers authentication which we relay to LDAP to obtain a shadow cred vimeo.com/808300501
Relaying to Exchange EWS. In this video, our domain again opens a folder on a file share and a searchConnector relays his auth to EWS to delegate access to the bob user which we control vimeo.com/808300586
Relaying to ADCS. In this video, we use our relaytoolkit to scan for the presence of MS_PRN and DAV services on a remote host, trigger authentication via MS_PRN and relay it to ADCS to obtain a certificate for the machine account vimeo.com/808300642
And last but not least, relaying to SCCM. In this video we trigger MS_PRN locally and relay the local machine account to SCCM to perform a new device enrolment, this is then used to recover policies and extract the often privileged NAA creds: vimeo.com/808300696
In summary, auth coercion is a powerful escalation primitive for red teams and NTLM needs to die. We've likely only scratched the surface of what can be done and there's likely many more services that can be abused; CyberArk? Citrix? SAP? All spring to mind as good targets
Again massive credits to @breakfix who did most of the heavy lifting on a lot of this 🙏
Just confirmed that this works nicely over WebDAV - Microsoft's mitigation of blocking outbound 445 is insufficient, you can exploit this on any port as long as WebClient is running
Here's a video demo of exploiting this one over a c2, and relaying to LDAP to add a shadow credential using @MDSecLabs' farmer tool: vimeo.com/808160973
Good red teams will blend in with the noise. ETW is a sweet resource for finding out what noise looks like. Here I'm using @FuzzySec's SilkETW to hunt for surrogate processes for hosting my AD post-ex... I see you taskhostw.exe & winword.exe
Wanna know which processes make HTTPS connections for your egress beacons? Microsoft-Windows-WinHttp got your back...
Microsoft-Windows-WebIO also kicks ass because you get the web request/host... super useful for building realistic malleable profiles for hiding in those surrogates...
I didn’t particularly want to name and shame the infosec person who stole $2k from me so tried to give him one last opp to return the money, instead he took to insulting and threatening me. However, I’m concerned about other ppl being scammed...
...as such it’s only right that anyone who is considering taking @ninjaparanoid’s training know what they might have to deal with. It would be unfair to make such an accusation without proof, so I’ve provided evidence below.
I’m always looking to learn new things to sharpen my RT skills and try and do as much mal dev training as I can, having taken the NetSPI and Sek7 courses one of the few remaining was @ninjaparanoid’s MOS; the syllabus looked good so I signed up and paid for this in August