Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cheat Sheet - Add UNC Injection Help for WEBDAV #54

Open
nullbind opened this issue Feb 10, 2020 · 3 comments
Open

Cheat Sheet - Add UNC Injection Help for WEBDAV #54

nullbind opened this issue Feb 10, 2020 · 3 comments
Assignees
@nullbind
Labels
enhancement

Comments

@nullbind
Copy link
Collaborator

Requester:
kevin @GuhnooPlusLinux

Question:
@nullbind Is there anything special you have to do for webdav auth in MSSQL? Tested all formats listed in the PowerUpSQL UNC path cheatsheet but no dice.
@nullbind nullbind self-assigned this Feb 10, 2020
@Invoke-Mimikatz
Copy link

@nullbind Bump... I'll buy you lunch or a beer if you can figure out how to reliably force webdav auth from MSSQL server.

@mubix
Copy link

mubix commented Jul 20, 2020

There are a few ways to do this, but unfortunately it requires a few things to be in place. 1st "Desktop Experience" must be installed, so that the WebClient service is present. Then it has to be enabled/running. You can trigger the WebClient service to start programatically as a non privileged user, but there isn't a way to install the "Desktop Experience" feature that way. Another option is that MSSQL is installed on a client operating system like Win7 or Win10, in which case you still have to deal with starting the WebClient service, which as far as I can tell, you can't do from functions inside of MSSQL. Maybe @nullbind can figure that piece out.

Once you are over that hurdle, you still have to deal with having a attack tool that supports WebDAV's process for authentication, which isn't straight HTTP. It does a OPTION request, then a PROPFIND (which expects an XML response), then it starts down the NTLM authentication route, but if Auth is required or a correctly formatted response isn't given, then the auth won't be performed. I don't believe that Inveigh (which is what PowerUpSQL uses if I remember correctly), doesn't support WebDAV based authentication. I could be wrong here, but if it isn't, then that's up to @Kevin-Robertson to fix, not @nullbind .

Finally, once you have that perfect storm in place, you can get PowerUpSQL to perform an xp_dirtree on a WebDAV path, but it's a long road to get here. Just wanted to make sure you knew what you were asking for :)

@Kevin-Robertson
Copy link

I can confirm that I don't have the standard WebDAV auth in Inveigh. To further complicate things though, the Microsoft-WebDAV-MiniRedir does seem to trigger auth through straight HTTP:) So for example, Inveigh should capture auth for an incoming webdav connection that is redirected from a port 445 UNC on a redirect capable system.

I could add the standard webdav auth if there is a need.

@mubix mubix mentioned this issue Jul 20, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nullbind nullbind

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mubix @nullbind @Kevin-Robertson @Invoke-Mimikatz