GetWebDAVStatus.exe server 1, server 2, server3… On the compromised system’s terminal we can execute the binary to check webclient service’s status on any number of systems in the format: G0ldenGunSeccreated a tool in C# that is capable to query the mentioned named pipe using execute-assembly.
Lee Christensen observed that a query to the named pipe “DAV RPC SERVICE” can confirm this remotely as well. For the compromised local system, this can be checked using sc query webclientĪnd if it is in a stopped state, it can be started using sc start webclient PetitPotam or Print Spooler use the named pipe technique to exploit but first, we need to check if the web client is running or not. I highly recommend reading our blog posts about PetitPotam and Resource-Based Constrained Delegation hereand herefor a better understanding of this article. Now, to exploit, we will first trigger the machine account’s authentication to our attacker system (by setting up a responder server and using PetitPotam to force authentication) then we will relay the authentication information to LDAPS in order to configure RBCD (resource-based constrained delegation) and finally use delegation to generate a service ticket and takeover multiple workstations. In this article, we have already set up machines with WebClient up and running.
#Install webdav redirector server 2012 how to#
To learn how to activate it programmatically follow the link herebut we won’t be showing that here. One constraint of the technique is that WebClient is not active by default. Once the webclient service has been started you can verify it manually by the command sc query webclient Background Set-Service MRxDAV -StartupType Automatic Set-Service WebClient -StartupType Automatic Get-WindowsFeature WebDAV-Redirector | Format-Table –Autosize The service is disabled/stopped by default but can be installed by referring to the guide here.īut just to give you a rundown of the commands, setup can be done as follows: Install-WindowsFeature WebDAV-Redirector –Restart WebClient service allows users to connect to WebDav shares and write data onto the server.NET based servers (like IIS) always use WebClient service for giving users WebDav shares’ access while other servers might not. Table of ContentĪccording to Wikipedia, “WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the Hypertext Transfer Protocol (HTTP), which allows user agents to collaboratively author contents directly in an HTTP web server by providing facilities for concurrency control and namespace operations, thus allowing Web to be viewed as a writeable, collaborative medium and not just a read-only medium.” WebClient Service This relay can use Resource-Based Constrained Delegation abuse to compromise the relayed host.
Using PetitPotam or PrinterBug, an HTTP authentication can be coerced and relayed to LDAP(S) on domain controllers. Lee hypothesized in the tweet that PetitPotam can be used in conjunction with NTLM Relay+WebDAV abuse to cause lateral movement by creating machine accounts first, and then using Resource-Based Constrained Delegation to generate tickets for any user. In Certified Pre-Owned whitepaper a technique called ESC8 was discussed. The article is based on idea that a workstation takeover, also known as lateral movement, is possible by abusing WebDAV shares.
0 kommentar(er)
