Coercer icon indicating copy to clipboard operation
Coercer copied to clipboard

Published 20 hours ago verified publisher icon p0dalirius

[enhancement] Add CheeseOunce

Open edermi opened this issue 2 years ago • 1 comments

https://github.com/evilashz/CheeseOunce

edermi avatar Sep 07 '22 08:09 edermi

It's in the plans ;)

p0dalirius avatar Sep 07 '22 09:09 p0dalirius

Added in https://github.com/p0dalirius/Coercer/commit/a8fd0373b0ae41999f4337304558e9ad4b1611fe

image

p0dalirius avatar Dec 11 '22 19:12 p0dalirius

Hello,

the author of the CheeseOunce recently noted on the repo: The MS-EVEN runing under the NT AUTHORITY\LOCAL SERVICE account, and this account can't provide valid credentials during network authentication so, in the NTLMRelay attacking, it can't work.

Is he/she right? Or maybe partially, as it does seem to sometimes provide authentication if I believe your screenshot?

If the person is right, is this still a protocol that is interesting to test for coercions? If not, shouldn't it be described in the windows-coerced-authentication-methods repo? Or maybe it is just a lack of time to do so, which I can understand!

benji1000 avatar Feb 19 '24 12:02 benji1000

Hi,

He is absolutely right and that checks out with my tests

It is a lack of time, but It should be added yes :) windows-coerced-authentication-methods in MS-EVEN Hopefully I will have more time soon, as I have many things to append in here

Best regards,

p0dalirius avatar Feb 19 '24 12:02 p0dalirius

Oops, I didn't see that the repo had a "possible-working-calls" folder, I was only looking in the "methods" folder. Great! Thank you for your quick answer, for the documentation, and for the tool in itself 👍

So, maybe that Coercer shouldn't test for MS-EVEN? To prevent users of the tool from thinking that this could lead to an authentication received, where in fact it does not provide authentication, and is therefore useless if I'm not mistaken.

benji1000 avatar Feb 19 '24 12:02 benji1000