[Modules] - NTLMv1 - Enhanced ntlmv1 module to perform checks without admin rights #260
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The implementation of ntlmv1 module was only useable when we got admin rights or being able to perform Remote Registry operations, hence, it was not useful when you were trying to exploit/check the vulnerability before compromising the computer.
I refactored the module to perform, first, remote operations and falling back to exploitation when a
DCERPCException
is raised.The way I implemented it, will setup a SMB Server and trigger an authentication with
efs_rpc_open_file_raw
each in a new process to be able to stop them easily. However, the code is not perfect, especially when the inter-process communication is needed, I just developed it and wanted to share it in case someone has ideas to improve it.Currently, it is no more possible to run it through multiple target in parallel due to the smbserver started (which cannot be started since tcp/445 is busy).