preface

Printerbug enables an attacker with a control domain user/computer to specify a server within the domain and have it authenticate to the target of the attacker’s choice. Although not a Microsoft recognized vulnerability, a combination of net-NTLMv1, unconstrained delegate, NTLM_Relay, named pipe emulation can be used to exploit intra-domain, local, cross-domain, and more.

Unfortunately, after the PrintNightmare outbreak, many enterprises chose to shut down the Spoolss service, rendering Printerbug ineffective. As Printerbug wears off today, here comes PetitPotam, who can also specify a server in the domain and have it authenticate to the target of the attacker’s choice. And in lower versions (below 16), it can be triggered anonymously.

The principle of

So there’s a function in MS-EFSR that EfsRpcOpenFileRaw(Opnum 0)

long EfsRpcOpenFileRaw(
   [in] handle_t binding_h,
   [out] PEXIMPORT_CONTEXT_HANDLE* hContext,
   [in, string] wchar_t* FileName,
   [in] long Flags
 );
Copy the code

It is used to open the encrypted object on the server for backup or restore. The encrypted object on the server is specified by FileName. FileName is of type UncPath.

When the format is specified as \IP\C$, the lsass.exe service accesses \IP\pipe\ SRVSRV

Specify a server in the domain and have it authenticate to the target of the attacker’s choice by changing the IP parameter in FileName.

details

1. Trigger by LSARPC

In the official documentation, mS-EFSR is called with the methods \pipe\ lsarPC and \pipe\ efsrPC

· Pipe \ lsarPC server interface must be UUID [C681d488-D850-11d0-8C52-00c04FD90f7e]

· Pipe \ efsrPC server interface must be UUID [df1941C5-fe89-4e79-bf10-463657ACf44d]

My local tests found that \pipe\ efsrPC is not open to the public

Possible Aussi via EFsrPC (en Changeant d ‘uuid) Mais ce Named pipe est moins Universel et plus rare que lsarpc 😉 “, which translates as

It is also possible to use EFSRPC (by changing the UUID), but this named pipe is less common and rarer than LSARPC

Therefore, PetitPotam is triggered directly by lSARPC.

2. Lower versions can trigger anonymously

In 08 and 12 environments, there are three netlogon, SAMR, and LSARPC named pipes in network Security: anonymously accessible by default. So it can be triggered anonymously in this environment

Unfortunately, above 16 this default is empty and at least one intra-domain credential is required.

using

The topic of this article is using PetitPotam instead of Printerbug, so this exploitation is also an exploitation of Printerbug. Here by the way, comb and review the use of Printerbug.

1. Combine cVE-2019-1040 with NTLM_Relay to LDAP

See CVE-2019-1040 for details, where we can change the trigger source from Printerbug to PetitPotam

Relay to HTTP

Different from LDAP, which is signed through negotiation, SMB requires changing the Flag bit. NTLM authentication to HTTP is not signed. ADCS, which is popular some time ago, happens to be HTTP interface and also accepts NTLM authentication. We can use PetitPotam to relay domain control machine users to ADCS to apply for a domain control certificate, and then use this certificate for Kerberos authentication. Note that in the case of a DomainController, specify the template as DomainController

Python3 ntlmrelayx. Py - t https://192.168.12.201/Certsrv/certfnsh.asp - smb2support, adcs, template "DomainController"Copy the code

2. Combine the use of unconstrained delegates

When a machine is configured with unconstrained delegation and any user accesses the host through network authentication, the machine configured with unconstrained delegation can get the TGT ticket of the user.

When we get a machine with an unconstrained delegate, we can get that user’s TGT by inducing someone to access the machine. Before that, we used printerbug. Here we can use PetitPotamlai.