Add shadowcoerce module

[ChoiSG]

Added a module that can check MS-FSRVP ShadowCoerce authentication coercion attack.

The code is from @Shutdown/@_nwodtuhs's ShadowCoerce repo - https://github.com/ShutdownRepo/ShadowCoerce. All credit goes to @shutdown (@ShutdownRepo in Github).

If target is vulnerable

└─# poetry run crackmapexec smb 192.168.40.150 -u low -p 'Password123!' -d choi.local -M shadowcoerce 
SMB         192.168.40.150  445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:choi.local) (signing:True) (SMBv1:False)
SMB         192.168.40.150  445    DC01             [+] choi.local\low:Password123! 
SHADOWCO... 192.168.40.150  445    DC01             VULNERABLE
SHADOWCO... 192.168.40.150  445    DC01             Next step: https://github.com/ShutdownRepo/ShadowCoerce

If target is not vulnerable

└─# poetry run crackmapexec smb 192.168.40.151 -u low -p 'Password123!' -d choi.local -M shadowcoerce 
SMB         192.168.40.151  445    WKSTN01          [*] Windows 10.0 Build 19041 x64 (name:WKSTN01) (domain:choi.local) (signing:False) (SMBv1:False)
SMB         192.168.40.151  445    WKSTN01          [+] choi.local\low:Password123!

Using IsPathShadowCopied instead of the default IsPathSupported

└─# poetry run crackmapexec --verbose smb 192.168.40.150 -u low -p 'Password123!' -d choi.local -M shadowcoerce -o ipsc=true

< ... > 
DEBUG:root:ipsc = True
DEBUG ipsc = True
DEBUG:root:Using IsPathShadowCopied!
DEBUG Using IsPathShadowCopied!
DEBUG:root:Sending IsPathShadowCopied!
DEBUG Sending IsPathShadowCopied!
SHADOWCO... 192.168.40.150  445    DC01             VULNERABLE
SHADOWCO... 192.168.40.150  445    DC01             Next step: https://github.com/ShutdownRepo/ShadowCoerce

[mpgn]

thanks :)

[0xAsh]

🔥 🔥 🔥