This PR implements Relaying to RPC attack which currently allows RCE in any MS Exchange via Exchange Trusted Subsystem group (Exchange servers have Administrator rights to each other via this or similar group) and printerbug.py.
Queries for BloodHound to locate exploitation chains
Those queries show all machines that have Administrator rights to other machines.
Usage Option 1
It requires 135/tcp port and a dynamic high MSRPC TCP port of TSCH service to be available on the target host.
Usage Option 2
It requires only 445/tcp port (or 139/tcp port) to be available on the target host, and the connection will be encrypted if SMB3 is used. A low-privilege account is needed.
This is the same attack that Compass Security has published (https://twitter.com/compasssecurity/status/1260898906629529602), but it was discovered before the Compass Security publication, so I just share my PoC because no other POCs have been released.
This PoC was also sent to MS including an example of relaying to DCOM MMC20 object.
For @CompassSecurity, it will be interesting to see your RPC Server and ways to get an incoming RPC connection
If you are reading this and interested in finding new MSRPC endpoints to attack, check out new rpcmap.py tool with
The available such way endpoints should be vulnerable to RPC Relaying attack.