NetExec
NetExec copied to clipboard
Pennyw0rth
coerce_plus cannot detect ShadowCoerce
coerce_plus cannot detect ShadowCoerce
But I was able to complete the attack using https://github.com/ShutdownRepo/ShadowCoerce
nxc debug information is below
nxc smb 10.10.10.11 -u redteam\test -p Admin@111 -M coerce_plus -o METHOD=ShadowCoerce --debug
[12:19:34] DEBUG NXC VERSION: 0.0.0 - NeedForSpeed - 6d4fdfd cli.py:26
DEBUG PYTHON VERSION: 3.11.9 (tags/v3.11.9:de54cf5, Apr 2 2024, 10:12:12) [MSC v.1938 64 bit (AMD64)] netexec.py:80
DEBUG RUNNING ON: Windows Release: 10 netexec.py:81
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, verbose=False, debug=True, no_progress=False, log=None, force_ipv6=False, dns_server=None, netexec.py:82
dns_tcp=False, dns_timeout=3, protocol='smb', target=['10.10.10.11'], username=['redteam\\test'], password=['Admin@111'], cred_id=[], ignore_pw_decoding=False,
no_bruteforce=False, continue_on_success=False, gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None,
server='https', server_host='0.0.0.0', server_port=None, connectback_host=None, module=['coerce_plus'], module_options=['METHOD=ShadowCoerce'], list_modules=False,
show_module_options=False, hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$', smb_server_port=445, gen_relay_list=None,
smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, sccm=None, mkfile=None, pvk=None, enabled=False, userntds=None, shares=False, interfaces=False,
no_write_check=False, filter_shares=None, sessions=False, disks=False, loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None,
local_groups=None, pass_pol=False, rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='', depth=None,
only_files=False, pattern=None, regex=None, put_file=None, get_file=None, append_host=False, exec_method='wmiexec', dcom_timeout=5, get_output_tries=100, codec='utf-8',
no_output=False, execute=None, ps_execute=None, obfs=False, amsi_bypass=None, clear_obfscripts=False, force_ps32=False, no_encode=False)
DEBUG Protocol: smb netexec.py:136
DEBUG Protocol Path: C:\Users\zr\AppData\Local\Temp\_MEI322722\nxc\protocols\smb.py netexec.py:139
DEBUG Protocol DB Path: C:\Users\zr\AppData\Local\Temp\_MEI322722\nxc\protocols\smb\database.py netexec.py:141
[12:19:35] DEBUG Protocol Object: <class 'protocol.smb'>, type: <class 'type'> netexec.py:144
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:146
DEBUG DB Path: C:\Users\zr/.nxc\workspaces\default\smb.db netexec.py:149
[12:19:37] DEBUG symmetric using "pyCryptodomex" for "DES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "TDES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "AES" __init__.py:55
DEBUG symmetric using "pyCryptodomex" for "RC4" __init__.py:55
DEBUG Modules to be Loaded for sanity check: ['coerce_plus'], <class 'list'> netexec.py:178
DEBUG Loading module for sanity check coerce_plus at path C:\Users\zr\AppData\Local\Temp\_MEI322722\nxc\modules\coerce_plus.py netexec.py:185
DEBUG Supported protocols: ['smb'] moduleloader.py:71
DEBUG Protocol: smb moduleloader.py:72
DEBUG Using proactor: IocpProactor proactor_events.py:633
DEBUG Creating ThreadPoolExecutor netexec.py:44
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:47
INFO Socket info: host=10.10.10.11, hostname=10.10.10.11, kerberos=False, ipv6=False, link-local ipv6=False connection.py:163
DEBUG Kicking off proto_flow connection.py:225
DEBUG Creating SMBv1 connection to 10.10.10.11 smb.py:526
DEBUG Created connection object connection.py:230
[12:19:38] DEBUG Server OS: Windows Server 2016 Datacenter 14393 10.0 build 14393 smb.py:265
DEBUG Update Hosts: [{'id': 3, 'ip': '10.10.10.11', 'hostname': 'AD-2016', 'domain': 'redteam.com', 'os': 'Windows Server 2016 Datacenter 14393', 'dc': None, 'smbv1': True, database.py:256
'signing': True, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [3] database.py:266
INFO Resolved domain: redteam.com with dns, kdcHost: 10.10.10.10 smb.py:304
DEBUG Creating SMBv1 connection to 10.10.10.11 smb.py:526
[12:19:38] INFO SMB 10.10.10.11 445 AD-2016 Windows Server 2016 Datacenter 14393 x64 (name:AD-2016) (domain:redteam.com) (signing:True) (SMBv1:True) smb.py:313
SMB 10.10.10.11 445 AD-2016 Windows Server 2016 Datacenter 14393 x64 (name:AD-2016) (domain:redteam.com) (signing:True) (SMBv1:True)
DEBUG Trying to authenticate using plaintext with domain connection.py:494
DEBUG Logged in with password to SMB with redteam/test smb.py:414
DEBUG self.is_guest=False smb.py:416
DEBUG Checking if user is admin on 10.10.10.11 smb.py:591
DEBUG Adding credential: redteam/test:Admin@111 smb.py:420
DEBUG Adding credentials: [{'id': 14, 'domain': 'redteam', 'username': 'test', 'password': 'Admin@111', 'credtype': 'plaintext', 'pillaged_from_hostid': None}] database.py:323
DEBUG smb hosts() - results: [(3, '10.10.10.11', 'AD-2016', 'redteam.com', 'Windows Server 2016 Datacenter 14393', None, True, True, None, None, None)] database.py:475
[12:19:38] INFO SMB 10.10.10.11 445 AD-2016 redteam\test:Admin@111 smb.py:427
SMB 10.10.10.11 445 AD-2016 redteam\test:Admin@111
INFO Loading modules for target: 10.10.10.11 connection.py:578
DEBUG Supported protocols: ['smb'] moduleloader.py:71
DEBUG Protocol: smb moduleloader.py:72
DEBUG Calling modules connection.py:235
DEBUG Loading module coerce_plus - <NXCModule.NXCModule object at 0x0000026F5E9B75D0> connection.py:270
DEBUG Loading context for module coerce_plus - <NXCModule.NXCModule object at 0x0000026F5E9B75D0> connection.py:280
DEBUG Module coerce_plus has on_login method connection.py:290
DEBUG Connecting to ncacn_np:10.10.10.11[\PIPE\Fssagentrpc] coerce_plus.py:242
DEBUG Something went wrong, check error status => SMB SessionError: code: 0xc0000034 - STATUS_OBJECT_NAME_NOT_FOUND - The object name is not found. coerce_plus.py:246
DEBUG Target is not vulnerable to ShadowCoerce coerce_plus.py:102
DEBUG Closing connection to: 10.10.10.11 connection.py:176
I have two possible explanations for this issue:
1. Differences in binding_params within coerce_plus
There are minor discrepancies between the original code and coerce_plus: https://github.com/Pennyw0rth/NetExec/blob/da8ef0f0fb37c1a6d73bb841b675f64d9d68b3c6/nxc/modules/coerce_plus.py#L222-L227
- In
stringBinding, the original code uses"FssagentRpc"instead of"Fssagentrpc". - For
MSRPC_UUID_FSRVP, the original code specifies"3.0"instead of"1.0".
2. Missing auth_type setting
The original code sets the authentication type, but coerce_plus does not.
Try adding the following line above line 246 in coerce_plus.py: https://github.com/Pennyw0rth/NetExec/blob/da8ef0f0fb37c1a6d73bb841b675f64d9d68b3c6/nxc/modules/coerce_plus.py#L246
dce.set_auth_type(RPC_C_AUTHN_WINNT)
Also, make sure to import the necessary variables by adding the following line above line 5 in coerce_plus.py: https://github.com/Pennyw0rth/NetExec/blob/da8ef0f0fb37c1a6d73bb841b675f64d9d68b3c6/nxc/modules/coerce_plus.py#L5
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_WINNT, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
Could you manually apply these changes and test if they resolve the issue? Unfortunately, I couldn’t test them myself as my environment does not have this vulnerability.
Thanks!
