The-Hacker-Recipes icon indicating copy to clipboard operation
The-Hacker-Recipes copied to clipboard

Published 20 hours ago verified publisher icon ShutdownRepo

Add WebClient Abuse Tactics

Open gjhami opened this issue 1 year ago • 2 comments
trafficstars

Add the following:

  • Describe that even when not currently running, the WebClient service can be remotely started using PetitPotam and other coercion methods.
  • Describe additional methods for getting 'intranet zoned' through DNS manipulation including Microsoft DHCP DNS abuse through DDSpoof, non-secure dynamic DNS updates, and DHCPv6 abuse.
  • Added notes on a tool I created for mass targeting, deployment, and cleanup of files capable of coercing HTTP authentication from user accounts via the WebClient service.

gjhami avatar Oct 29 '24 19:10 gjhami

I did some additional testing and there must have been some caching going on or I was mistaken the first time. PetitPotam and other methods will not start the WebClient service if it's not already running. Search Connectors or Library files viewed by a user on the machine in Explorer can start the service, but there aren't any methods I've found that can be performed by an attacker without remote access (RDP, WinRM, SSH, etc.) and that don't require user interaction. I will update the PR accordingly.

gjhami avatar Dec 16 '24 03:12 gjhami

Changing this PR to draft until it's updated

ShutdownRepo avatar Feb 15 '25 12:02 ShutdownRepo