search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.51k stars 3.58k forks source link

Relaying SMB NTLMv1 to LDAPS using the "--remove-mic" flag #1389

Open jsdhasfedssad opened 2 years ago

jsdhasfedssad commented 2 years ago

Hi,

After reading this post about relaying SMB NTLMv1 to LDAPS, something I thought was not possible, I decided to try this out. I had partial success testing this.

I am aware that the flag "--remove-mic" is intended to be used when targets are vulnerable to CVE-2019-1040, not for relaying SMB NTLMv1 to LDAPS but it works to some extent and I am happy to use all available means to gain access.

Relaying SMB NTLMv1 to LDAPS without the flag "--remove-mic" fails (as expected):

notworking

Relaying SMB NTLMv1 to LDAPS with the flag "--remove-mic" works:

working

Typically I start ntlmrelayx using a command similar to "impacket-ntlmrelayx -smb2support -t ldaps://[DC IP] -wh pentest-wpad --delegate-access --dump-gmsa --dump-laps --dump-adcs" but I found that when using this command while relaying SMB NTLMv1 to LDAPS using the flag "--remove-mic", the flag "--delegate-access" seems to be completely ignored, not even failing, and the flag "--dump-laps" fails with "invalid attribute type ms-MCS-AdmPwd". The relayed credentials belonged to a privileged account in all tests.

I understand that using the flag "--remove-mic" this way is more or less abusing it but again, this could be very useful when penetration testing. Therefore I wonder if Impacket will officially support this method whenever possible? I am especially interested in if the flag "--delegate-access" could be improved to work in this scenario since the flag "--add-computer" does work and both of them are writing to LDAP (the flag "--no-da" also seems to be ignored).

addcomputer

Update

After some more testing it seems the flag "--delegate-access" actually does work in this scenario assuming one coerce SMB NTLMv1 authentication from a machine account. Are using machine accounts required for this attack to work? In this scenario and in general I mean.

Configuration

Impacket version: 0.10.0 Python version: 3.10.5

fsacer commented 5 months ago

I mean this is the help source for --delegate-access which says it works on relayed computer accounts:

ldapoptions.add_argument('--delegate-access', action='store_true', required=False, help='Delegate access on relayed computer account to the specified account')

AFAIK this does the RBCD attack which requires write access to the target object which is usually only possible on computer accounts.