This repository contains a list of many methods to coerce a windows machine to authenticate to an attacker-controlled machine.
All of these methods are callable by a standard user in the domain to force the machine account of the target Windows machine (usually a domain controller) to authenticate to an arbitrary target. The root cause of this "vulnerability/feature" in each of these methods is that Windows machines automatically authenticate to other machines when trying to access UNC paths (like \\192.168.2.1\SYSVOL\file.txt).
There is currently 15 known methods in 5 protocols.
🎉 A lot of new methods are yet to be tested, if you want to try them: possible-working-calls This list will be triaged over time, eventhough I automated most of the work and autogenerated python proof of concept for each call, it takes time to triage these 240+ RPC calls.
-
[MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol
-
[MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol
- Remote call to EfsRpcOpenFileRaw (opnum 0)
- Remote call to EfsRpcEncryptFileSrv (opnum 4)
- Remote call to EfsRpcDecryptFileSrv (opnum 5)
- Remote call to EfsRpcQueryUsersOnFile (opnum 6)
- Remote call to EfsRpcQueryRecoveryAgents (opnum 7)
- Remote call to EfsRpcFileKeyInfo (opnum 12)
- Remote call to EfsRpcDuplicateEncryptionInfoFile (opnum 13)
- Remote call to EfsRpcAddUsersToFileEx (opnum 15)
-
[MS-FSRVP]: File Server Remote VSS Protocol
-
[MS-PAR]: Print System Asynchronous Remote Protocol
-
[MS-RPRN]: Print System Remote Protocol
Feel free to open a pull request to add new methods.