PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.

Overview

PetitPotam

PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions :)

The tools use the LSARPC named pipe with inteface c681d488-d850-11d0-8c52-00c04fd90f7e because it's more prevalent. But it's possible to trigger with the EFSRPC named pipe and interface df1941c5-fe89-4e79-bf10-463657acf44d. It doesn't need credentials against Domain Controller :D

Disabling the EFS service seems not to mitigate the "feature".

The Python one require Impacket to be installed, the Windows PoC was done on VS 2019 Community. If compilation problem, remember to add Rpcrt4.lib in the linker. Compile in x86.

Inspired by the previous work on MS-RPRN from @tifkin_ & @elad_shamir and others SpecterOps guys.

Incomplete patch from Microsoft :) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942

MS-EFSRPC - Encrypting File System Remote (EFSRPC) Protocol https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31

image

Issues
  • Patched by mistake from Microsoft

    Patched by mistake from Microsoft

    Regarding this KB https://attackerkb.com/topics/TEBmUAfeCs/cve-2021-36942?referrer=home Microsoft patched the EFSRPC for another issue, now needing packet-level privacy. Is this possible to integrate in PetitPotam?

    opened by PfiatDe 4
  • ntlmrelayx.exe unrecognized arguments --adcs / --template

    ntlmrelayx.exe unrecognized arguments --adcs / --template

    Hello,

    I tried using the ntlmrelayx.exe that was provided in the repo but unfortunately it does not recognize the --adcs flag which I from my understanding is needed to exploit the ADCS - did I do something wrong or is the binary not working?

    image

    opened by maikroservice 3
  • ERROR_INVALID_NAME when using EfsRPCEncryptFileSrv

    ERROR_INVALID_NAME when using EfsRPCEncryptFileSrv

    Trying to exploit this in a live enironment I get:

    [-] Connecting to ncacn_np:172.20.247.109[\PIPE\lsarpc]
    [+] Connected!
    [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
    [+] Successfully bound!
    [-] Sending EfsRpcOpenFileRaw!
    [-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
    [+] OK! Using unpatched function!
    [-] Sending EfsRpcEncryptFileSrv!
    Something went wrong, check error status => EFSR SessionError: code: 0x7b - ERROR_INVALID_NAME - The filename, directory name, or volume label syntax is incorrect.
    

    PetitPotam Version: 2ae559f938e67d0cd59c5afcaac67672b9ef2981 Impacket Version: impacket==0.9.22 (Kali Repos) EDIT: Also tried with latest impacket release (0.9.23)

    From what I can understand the target might have the patch applied, but as far as I understand that does not patch all possible functions. Petitpotam seems to fail when trying one of the alternatives (EfsRpcEncryptFileSrv).

    opened by er4z0r 1
  • Added alternate EFS APIs to native windows version

    Added alternate EFS APIs to native windows version

    Hi,

    I added a couple of the alternate EFS APIs to the c-version of your tool so you can test without impacket. I did not include the exe in the pull since I don't know how you feel about publishing precompiled executables from strangers ;-)

    Thanks, Christoph

    opened by cfalta 1
  • [help wanted] AD CS /certsrv Endpoint authentication failed.

    [help wanted] AD CS /certsrv Endpoint authentication failed.

    First of all, thanks for your excellent research work.

    I'm trying to reproduce it using a Windows Server 2012 R2 with no patches installed either automatically or manually.

    I installed AD CS using all default options offered by the setup wizard.

    When I invoke the Python script from your repo and cooperate it with ntlmrelayx from https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack , it just kept telling me HTTP 401 Unauthorized.

    Since it's totally all default situation, I have no idea what's wrong with it to reproduce.

    More information might be useful for debugging:

    • Certificate can be requested via any other machine in the domain. DC itself also has a certificate. Any other machine also can request machine account certificate in GUI.
    • Web Endpoint /certsrv will ask for human user credential, then it works as intended. But in this situation, machine account NTLM authentication seems not to work.
    • If I replace ntlmrelayx with responder, I could successfully get a response and hash capture notice from responder, which means, at least, NTLM Relay part, works fine.

    Thanks for your help in advance.

    opened by kmahyyg 1
  • Use other func in efs to bypass MS August patch

    Use other func in efs to bypass MS August patch

    Use other func in efs to bypass MS August patch. there are many other func in efs rpc, similar to the original PetitPotam. (After fuzzing win10 rpc)

    info: https://twitter.com/red4blue_sec/status/1425475468715769858

    opened by red4blue 1
  • NameError: name 'RPC_C_AUTHN_WINNT' is not defined

    NameError: name 'RPC_C_AUTHN_WINNT' is not defined

    Hello,

    Following the previous patch to force the use of Privacy Level AUthentication (https://github.com/topotam/PetitPotam/issues/14), the Python script generate the following error: Traceback (most recent call last): File "XXX/PetitPotam.py", line 448, in <module> main() File "XXX/PetitPotam.py", line 441, in main dce = plop.connect(username=options.username, password=options.password, domain=options.domain, lmhash=lmhash, nthash=nthash, target=options.target, pipe=options.pipe, doKerberos=options.k, dcHost=options.dc_ip, targetIp=options.target_ip) File "XXX/PetitPotam.py", line 353, in connect dce.set_auth_type(RPC_C_AUTHN_WINNT) NameError: name 'RPC_C_AUTHN_WINNT' is not defined

    I think you need to add the following line to the imports: from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_WINNT

    opened by Majjz 0
  • Kerberos auth support

    Kerberos auth support

    added Kerberos auth support (without thorough testing, but where I tried it worked flawlessly).

    • a basic fix for compiling the C version on default Visual Studio 2019 setups.
    opened by tothi 0
  • Fixed pass-the-hash

    Fixed pass-the-hash

    Function rpctransport.set_credentials was called with arguments in a wrong order (nthash was at lmhash's place) preventing pass-the-hash from working.

    opened by ShutdownRepo 0
Owner
Topotam
All I know is that I know nothing. I like Windows, Active Directory and IoT/Hardware hacking.
Topotam
Playbit System interface defines an OS-like computing platform which can be implemented on a wide range of hosts

PlaySys The Playbit System interface PlaySys defines an OS-like computing platform which can be implemented on a wide range of hosts like Linux, BSD,

Playbit 227 Jun 22, 2022
This is the repo that hosts the code for Mozilla's translation service

Translation service HTTP service that uses bergamot-translator and compressed neural machine translation models for fast inference on CPU. Running loc

Mozilla 11 Jun 21, 2022
Two PoC of accessing process virtual memory via NT Kernel

ProcessVmAccess Two PoC of accessing process virtual memory via NT Kernel Detail You've never interested in accessing process virtual memory through N

Kento Oki 15 Jun 15, 2022
Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactively receive/edit/monitor data and send commands to an embedded system via the serial bus

See wiki for full documentation Serial Data Monitor Description Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactivel

monnoliv 4 Oct 29, 2021
Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Paulo Rafael Ramalho 0 Apr 5, 2022
rdtsc x86 instruction to detect virtual machines

rdtsc_detector rdtsc x86 instruction to detect virtual machines What is rdtsc? The Time Stamp Counter (TSC) is a 64-bit register present on all x86 pr

null 4 Apr 29, 2022
⛵ The missing small and fast image decoding library for humans (not for machines).

Squirrel Abstract Image Library The missing fast and easy-to-use image decoding library for humans (not for machines). Target Audience • Features • Im

Dmitry Baryshev 169 Jun 26, 2022
A demonstration of various different techniques for implementing 'threaded code,' a technique used in Forth and in virtual machines like the JVM.

Threaded code is a technique used in the implementation of virtual machines (VMs). It avoids the overhead of calling subroutines repeatedly by 'thread

null 23 Jun 10, 2022
A shellcode crypto-packing tool for PoC (used with msfvenom payloads)

crypter A shellcode crypto-packing tool for PoC (used with msfvenom/binary payloads) This tool is for proof of concept only - please use responsibly.

ripmeep 11 May 30, 2022
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 56 Jun 25, 2022
POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

FalconForce 51 Jun 7, 2022
A cross-platform (Android/iOS/Windows/macOS) cronet plugin for Flutter via `dart:ffi`

cronet_flutter A cross-platform (Android/iOS/Windows/macOS) cronet plugin for Flutter via dart:ffi

null 20 Jun 15, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 134 Jun 17, 2022
A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch.

LVGL_USB_Mouse A simple tool using PC mouse via USART to control MCU and LCD/OLED (with LVGL library), if your screen cannot be controlled by touch. 如

k_ying 5 May 5, 2022
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

hakivvi 29 Jun 15, 2022
Invoke functions with a spoofed return address. For 32-bit Windows binaries

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

Daniel Krupiński 53 Jun 19, 2022
Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

Valentin-Gabriel Radu 16 Jun 18, 2022
PoC capable of detecting manual syscalls from usermode.

syscall-detect PoC capable of detecting manual syscalls from usermode. More information available at: https://winternl.com/detecting-manual-syscalls-f

null 104 Jun 20, 2022
PoC MSVC COFF Object file loader/injector.

COFFInjector A Proof of Concept code - loading and injecting MSVC object file. Blog post with explanation: https://0xpat.github.io/Malware_development

null 119 Jun 13, 2022