[bug] Coercing through ElfrOpenBELW in \PIPE\eventlog doesn't work.

[Shawn24pr]

[+] SMB named pipe '\PIPE\eventlog' is accessible!
   [+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)!
      [!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\192.168.1.101\r1Qr8iIe\aa')

[p0dalirius]

Hi,

I just tested it on the following system:

C:\Users\Administrator>systeminfo

Host Name:                 TDC01
OS Name:                   Microsoft Windows Server 2019 Standard Evaluation
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00431-10000-00000-AA171
Original Install Date:     2/3/2023, 1:17:55 PM
System Boot Time:          5/24/2023, 2:25:37 PM
System Manufacturer:       innotek GmbH
System Model:              VirtualBox
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 165 Stepping 5 GenuineIntel ~3792 Mhz
BIOS Version:              innotek GmbH VirtualBox, 12/1/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              fr;French (France)
Time Zone:                 (UTC+01:00) Brussels, Copenhagen, Madrid, Paris
Total Physical Memory:     8,192 MB
Available Physical Memory: 6,087 MB
Virtual Memory: Max Size:  9,472 MB
Virtual Memory: Available: 7,426 MB
Virtual Memory: In Use:    2,046 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    DOMAIN.local
Logon Server:              \\TDC01
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB4514366
                           [02]: KB4486153
                           [03]: KB4512577
                           [04]: KB4512578
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Desktop Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.254
                                 IP address(es)
                                 [01]: 192.168.1.71
                                 [02]: fe80::8de7:7100:8d37:e712
                                 [03]: 2001:861:8c80:e2e0:8de7:7100:8d37:e712
                                 [04]: 2001:861:8c80:e2e0:1d3b:a11a:bc84:4a25
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

And I got the following results;

Can you provide more details on the configuration of your environment?

Best regards,

[Shawn24pr]

Hi there,

system config below:

C:\Users\Administrator>systeminfo

Host Name:                 DC01
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00429-70000-00000-AA587
Original Install Date:     5/23/2023, 10:22:52 AM
System Boot Time:          5/23/2023, 9:04:04 PM
System Manufacturer:       Microsoft Corporation
System Model:              Virtual Machine
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 140 Stepping 1 GenuineIntel ~1805 Mhz
BIOS Version:              Microsoft Corporation Hyper-V UEFI Release v4.1, 4/6/2022
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,739 MB
Available Physical Memory: 830 MB
Virtual Memory: Max Size:  4,147 MB
Virtual Memory: Available: 2,020 MB
Virtual Memory: In Use:    2,127 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    lab.local
Logon Server:              \\DC01
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB5004335
                           [02]: KB5005112
                           [03]: KB5005030
Network Card(s):           1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.1.120
                                 [02]: fe80::90d2:35ec:fc30:200f
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Just cloned the repo now and noticed that even though after providing --filter-pipe-name, it scans all of them:

[p0dalirius]

I opened an issue for the --filter-pipe-name option and will fix it (https://github.com/p0dalirius/Coercer/issues/54)

[p0dalirius]

Well yes, if you have Responder running and using Coercer in scan mode it cannot work. Since Responder is listenning on port 445 to receive incomming SMB authentications and Coercer will do the same.

In scan mode you need to be able to listen on the 445 port on your machine

[Shawn24pr]

Closing