WebClient abuse (WebDAV)
Theory
Web Distributed Authoring and Versioning (WebDAV) is an extension to Hypertext Transfer Protocol (HTTP) that defines how basic file functions such as copy, move, delete, and create are performed by using HTTP (docs.microsoft.com)
The WebClient service needs to be enabled for WebDAV-based programs and features to work. As it turns out, the WebClient service can be indirectly abused by attackers to coerce authentications. This technique needs to be combined with other coercion techniques (e.g. PetitPotam, PrinterBug) to act as a booster for these techniques. It allows attackers to elicit authentications made over HTTP instead of SMB, hence heightening NTLM relay capabilities.
Practice
Recon
Attackers can remotely enumerate systems on which the WebClient is running, which is not uncommon in organizations that use OneDrive or SharePoint or when mounting drives with a WebDAV connection string.
From UNIX-like systems, this can be achieved with webclientservicescanner (Python) or using NetExec (Python).
Abuse
Regular coercion techniques rely on the attacker forcing a remote system to authenticate to another one. The "other" system is usually an IP address, a domain or NetBIOS name. With WebClient abuse, the other system needs to be supplied in a WebDAV Connection String format.
The WebDAV Connection String format is: \\SERVER@PORT\PATH\TO\DIR
.
To retrieve an authenticated connection, the remote server that attacker wants to victim to be relayed to should be considered in the intranet zone. One way to do it is to use the NetBIOS or DNS name of the attacker machine instead of its IP address.
In order to have a valid NetBIOS name, Responder can be used.
A heftier alternative is to do some ADIDNS poisoning to create and use a valid DNS entry.
Below are a few examples of WebClient abuse with PrinterBug and PetitPotam.
Start the WebClient service
On a side note, making a remote system start the WebClient service can be done in many ways
By mapping a remote WebDAV server. This can be done by having Responder's server up and by running the net use
cmdlet.
Resources
Last updated