-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
coerce_plus: MS-EVEN not working #504
Comments
Haven't figured it out yet, but first time i tested it it didn't work, second time i tested it it did work. Not sure what the problem was, but at least sometimes it works |
We had the same thought, but maybe it was just a false positive due to most of the time being used together with the other methods. In the reply you posted in the merge request, you said that it worked, and according to the screenshot no authentication data was sent. Additionally, the service runs network restricted, so I do not see how it could work at all. Or are there Windows Versions where the eventlog service is not running as network restricted? |
Looking at the wireshark traffic you might be right, there are no auth info send in the ntlm request. Maybe there is an edge case where the service isn't running in network restricted mode? What is really weird to me is, that we still get an STATUS_SUCCESS back from the server when authenticating locally (only the DC though). That doesn't make sense to me. |
If you do not see the message “Exploit Success, eventlog\ElfrOpenBELW” when using the LISTENER parameter, if host even/even6 RPC connection is available its indicator for MS-Even. |
The MS-EVEN method used in coerce_plus is not working on the machines I tested (Win 10, Win 11), there are connections being triggered, but they are null sessions. When I looked at the PR, it looks like @NeffIsBack had the same results in the screenshot: #300 (comment)
Are there any cases where this attack actually uses credentials?
NetExec info
EDIT: In the original POC ( https://github.com/evilashz/CheeseOunce ) the author says:
Maybe it should be removed?
The text was updated successfully, but these errors were encountered: