sliver
sliver copied to clipboard
Windows NTLM proxy with wininet: Bypass TLS settings
Is your feature request related to a problem? Please describe. Since PR https://github.com/BishopFox/sliver/pull/647 you can use wininet as proxy lib for Windows. This lib does respect Microsoft's settings for TLS in "Internet Properties". In order to successfully connect to C2 you will sometimes (in our case e.g.) need TLS 1.2+. Currently the connection fails if the internet properties are not updated via the Windows UI or registry settings.
Describe the solution you'd like If wininet is used, the module should be able to overwrite/bypass this setting automatically or by additional flag.
Describe alternatives you've considered Not using wininet is an option. However, you'll use cached NTLM credentials that way.
Additional context
Error message when only TLS 1.0 is set:
The setup is OPNSense with NTLM authentication as http proxy in the client's Windows proxy settings. Works for Firefox and Edge, but refuses to work with Sliver.
I searched for the error message that winapi returns (winapi error 12029) and this led to a setting in Windows for TLS support. The server expects TLS 1.2+ whereas the client connects via TLS 1.0 (default setting in some Windows versions) when using wininet.
Is there a way to tell the client using wininet lib to ignore this "Internet Properties" settings and use any TLS version? Without modifying the settings the client will not be able to communicate to the C2 framework.
Regarding wininet and this issue I found only this question on stackoverflow without any answers: https://stackoverflow.com/questions/48600135/how-to-programmatically-change-the-ssl-tls-support-using-wininet
It seems Microsoft will take care of this issue via a Windows update (September 13, 2022) :rofl: https://www.neowin.net/news/microsoft-will-turn-off-tls-10-and-11-in-internet-explorer-and-edgehtml-on-september-13/
Currently I have no time to test it out, but the commit https://github.com/BishopFox/sliver/commit/e65629e089fc056664000312af96bd28d380df2b should fix this behavior, right?
Not sure about the comment in the first lines of the commit though, as MS decided to disable TLS 1.0 and TLS 1.1, but not TLS 1.2.
That commit just fixes partial compatibility problems, but note the commit it setting the minimum TLS version, TLSv1.2 and TLSv1.3 are always supported by the sliver server.