-
-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] HTTP Authentications works in ntlmrelay from Coercer in coerce mode, but not detected by Coercer in scan and fuzz modes #42
Comments
Hi, I have been testing coercing SMB and HTTP using version 2.2 using version 1.6 as refference to make sure my setup was working. The result for me is that coercing SMB as anonymous and as authenticated works against Responder and ntlmrelayx in both versions. However, coercing HTTP as anonymous and as authenticated does not work in version 2.2 regardless if Responder or ntlmrelayx is used. There is simply no traffic that reaches Responder from the target when coercing. And as before, if I copy the "filename" output from Coercer 2.2 to Windows Explorer on the targeted DC coercing HTTP works against both Responder and ntlmrelayx. |
@p0dalirius I can confirm the comment by @jsdhasfedssad . It also does not work on 2.4. |
Hi. Any update on this? I love this tool but as long as this issue is not fixed I am stuck using version 1.6 which for example is missing support for coercing via DCERPC. Coercing HTTP to SMB authentication is central. Attacks on LDAP cannot be performed by coercing SMB to SMB authentication. Thanks! |
@jsdhasfedssad I don't think the tool is being actively maintained. However, check out the "Authentication Coercion" section from NTLM Relay in case you are interested in knowing other methods of authentication coercing. |
Hey @PedantHTB,
It is maintained, I just don't understand yet the root cause of this for HTTP authentications. I am looking into it today and will try to find a solution.
Best regards,
|
Hello @p0dalirius My apologies for that, I totally forgot about not posting paid promotions. Your tool is absolutely amazing. Here is how we talked about it. Regarding the HTTP NTLM auth problem, we currently say this: In case this gets fixed, I will happily edit the section. |
Thank you @PedantHTB, I was not able to see the course content. I am trying to fix it, it bothers me that it does not work. I'll ping you here once this is fixed! Best regards, |
@p0dalirius Could you also please check why these debug messages are being printed in a red font color instead of green? As you see from Responder, hashes are being received. This is only in scan mode; the messages get printed in green in coerce mode. Once again, thank you for your great tool and hard work. I hope you can figure out the problem. Best regards 😃 |
@PedantHTB I do understand why it is not clear I will explain it better in the scan mode. Scan Mode: Coerce mode: |
Hey @jsdhasfedssad @PedantHTB, I have fixed this issue in 83a1fd7 and released version 2.4.3. Let me know if you encounter further problems, Best regards, |
Great work! As far as I have tested so far both SMB and HTTP can be coerced now. Thank you! |
Thank you very much @p0dalirius for the extremely awesome work. I will test this and update what we have in our section in the module. Best regards 😄 |
Thank you @PedantHTB, again sorry for the trouble! Best regards, |
@p0dalirius Please do not be sorry for anything, Sir; your hard work is much appreciated. By the way, in a previous comment, you stated the following: "The scan mode listens on your port 445 on your machine, and waits for authentications callbacks. If you listen with Responder or NTLMRelay while using scan mode, you will receive authentications in another tool, and therefore the messages will get printed in red. Try it again in scan mode with only Coercer running, and you will understand better the behavior :)" I actually tried that before sending you that message, however, to double-check, I went and tried it again; the outcome is the same: the debug messages are still being printed in red: Am I missing something, or is this unintended? If I do the same with |
Hi @PedantHTB, I hope you are well! I understand your problem we were not talking about the same thing. There was a problem on older versions of Coercer where I forgot to check if Coercer is able to listen on the port in scan mode. I added a check in commit 91fbd4d to explicitly print if a port is not available, like what Responder does. From your screenshots I think that you ran Coercer with a normal user (if you are not Would you be so kind as to retry on the latest version of Coercer? (As of right now it is version 2.4.3). You can upgrade it with:
To sum up:
With the ability to listen on privileged ports, everything should look good! I will update the documentation on the whole project soon, to precise those unclear points. Best regards, |
Oh. I finally get it. My bad, my bad. I will do as you instructed and keep you updated. By the way, once you update the documentation, I am ready to proofread all of it, if that suits you. Just let me know 😃 |
Oh that would be awesome, I will keep you updated once the new documentation is up I will work on the documentation in one or two weeks |
@p0dalirius Hello again 👋 So, I downloaded the latest release and started rechecking whatever I had reported previously. Regarding the font color of debug messages, the issue persists, although partially. Before showing you an example, I want to state what I understand from Coercer and its
When using the However, Although I only showed a very few methods, I think the overall behavior is the same. Curious to know your take on this, and pardon me if I am missing something this time also. |
Hello, I hope you are well! Scan modeIn Two things are happening here in your test with
Demonstration.of.caching.of.UNC.paths.in.RPC.EfsRpcDecryptFileSrv.mp4
Coerce modeIn
I hope it is clearer, but do not hesitate to ping me if there is still some unclear points. Best regards, |
HTTP Authentications works in ntlmrelay
ntlmrelay.mp4
but not detected by Coercer in scan and fuzz modes
Follow up on #40 by @jsdhasfedssad
The text was updated successfully, but these errors were encountered: