[Modules] - NTLMv1 - Enhanced ntlmv1 module to perform checks without admin rights

[MrrRaph]

The implementation of ntlmv1 module was only useable when we got admin rights or being able to perform Remote Registry operations, hence, it was not useful when you were trying to exploit/check the vulnerability before compromising the computer.

I refactored the module to perform, first, remote operations and falling back to exploitation when a DCERPCException is raised.

The way I implemented it, will setup a SMB Server and trigger an authentication with efs_rpc_open_file_raw each in a new process to be able to stop them easily. However, the code is not perfect, especially when the inter-process communication is needed, I just developed it and wanted to share it in case someone has ideas to improve it.

Currently, it is no more possible to run it through multiple target in parallel due to the smbserver started (which cannot be started since tcp/445 is busy).

[Marshall-Hallenbeck]

@MrrRaph sorry maybe I'm not understanding, but how does this differ from the petitpotam module? The ntlmv1 module is just there to check if ntlmv1 is enabled.

[MrrRaph]

@MrrRaph sorry maybe I'm not understanding, but how does this differ from the petitpotam module? The ntlmv1 module is just there to check if ntlmv1 is enabled.

@Marshall-Hallenbeck , The ntlmv1 module is only capable to check if ntlmv1 is enabled when you got administrative rights on the targeted computer (or be able to remotely read registry keys).
My goal, was to enhance ntlmv1 module capabilities to check whether the targeted computer is authenticating onto a listener host by using NTLMv1 authentication on an smbserver.

It completely differs from the petitpotam module, since petitpotam module is only performing a check about the remote pipe response from a try to execute a remote procedure call and petitpotam module does not check the targeted computer is effectively authenticating onto the listener host, hence, it is only used to check, barely, if a DC is vulnerable to Pre-Authenticated PetitPotam (which comes with a CVE/fix from MS: CVE-2022-26925, CVE-2021-36942...).

I hope you are understanding my point and the differences between those modules and the purpose of my addition to this module :)

[mpgn]

For this to work you need:

• run nxc as sudo
• not having an smbserver/responder running

I see some Process(...) in the code also :'(

[MrrRaph]

@mpgn Yes, not forcefully running as sudo but at least with CAP_NET_ADMIN to be able to listen on 445 (since it's a privileged port).
The multiprocess part is to be able to start a smb server and also trigger a coerce auth with petitpotam (by using the petitpotam module). It could be changed to thread instead of process I think.

[Marshall-Hallenbeck]

@MrrRaph If anything this should be its own module, not re-writing the ntlmv1 module. This is essentially just auto-exploiting the petitpotam vuln, which is nice, but I think it'd be better if you just updated that module to allow for the listening server... it'd make way more sense to me.

@mpgn do you agree with that?

[MrrRaph]

@Marshall-Hallenbeck I understand your point, but it was for me to be written inside this module since it is related to.
However, when you have administrative rights, the module is like before, you do not need at all administrative rights since the SMB Server will try to go up when a DCERPCException is catch (hence, when there is an error when trying to read registries keys).

But when you did not have administrative rights on the targeted computer, you will need to exploit the vulnerability (without the knowdledge that the computer will effectively answer back with NTLMv1 challenge), it's this case that I thought it could be integrated into the module to auto exploit multiple targets.