sliver icon indicating copy to clipboard operation
sliver copied to clipboard

Published 20 hours ago verified publisher icon BishopFox

Windows NTLM proxy with wininet: Bypass TLS settings

Open cmprmsd opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. Since PR https://github.com/BishopFox/sliver/pull/647 you can use wininet as proxy lib for Windows. This lib does respect Microsoft's settings for TLS in "Internet Properties". In order to successfully connect to C2 you will sometimes (in our case e.g.) need TLS 1.2+. Currently the connection fails if the internet properties are not updated via the Windows UI or registry settings.

Describe the solution you'd like If wininet is used, the module should be able to overwrite/bypass this setting automatically or by additional flag.

Describe alternatives you've considered Not using wininet is an option. However, you'll use cached NTLM credentials that way.

Additional context Error message when only TLS 1.0 is set: image

The setup is OPNSense with NTLM authentication as http proxy in the client's Windows proxy settings. Works for Firefox and Edge, but refuses to work with Sliver.

I searched for the error message that winapi returns (winapi error 12029) and this led to a setting in Windows for TLS support. The server expects TLS 1.2+ whereas the client connects via TLS 1.0 (default setting in some Windows versions) when using wininet.

image

Is there a way to tell the client using wininet lib to ignore this "Internet Properties" settings and use any TLS version? Without modifying the settings the client will not be able to communicate to the C2 framework.

Regarding wininet and this issue I found only this question on stackoverflow without any answers: https://stackoverflow.com/questions/48600135/how-to-programmatically-change-the-ssl-tls-support-using-wininet

cmprmsd avatar Jul 18 '22 14:07 cmprmsd

It seems Microsoft will take care of this issue via a Windows update (September 13, 2022) :rofl: https://www.neowin.net/news/microsoft-will-turn-off-tls-10-and-11-in-internet-explorer-and-edgehtml-on-september-13/

cmprmsd avatar Aug 19 '22 09:08 cmprmsd

Currently I have no time to test it out, but the commit https://github.com/BishopFox/sliver/commit/e65629e089fc056664000312af96bd28d380df2b should fix this behavior, right?

Not sure about the comment in the first lines of the commit though, as MS decided to disable TLS 1.0 and TLS 1.1, but not TLS 1.2.

cmprmsd avatar Oct 06 '22 10:10 cmprmsd

That commit just fixes partial compatibility problems, but note the commit it setting the minimum TLS version, TLSv1.2 and TLSv1.3 are always supported by the sliver server.

moloch-- avatar Oct 08 '22 09:10 moloch--