Supporting NTLMQUIC

[p0dalirius]

From: @jsdhasfedssad

Hi,

I see you are planning to add more coercing methods in version 2.0 which is great! Have you heard about NTLMQUIC available and running by default on Windows 11 and Windows Server 2022? TrustedSec describes this in this post and their tools are available here.

Apparently PetitPotam can be used to coerce NTLMQUIC but that also involves additional tools which is not very clean. Is it at all possible to improve this so that all that is needed to coerce NTLMQUIC is your tool? If so, would you be willing to support this?

Thanks!

References

• https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
• https://github.com/xpn/ntlmquic

[p0dalirius]

Hey @jsdhasfedssad,

This is really interesting! I might be wrong, but I think supporting QUIC is only needed for the listener. I don't find anything to change in the RPC request to coerce authentication. Maybe I missed something ?

Best regards,

[jsdhasfedssad]

I am trying to test this but so far I cannot get it to work. Regardless, I am not fond of the CUIQ server/listener that is needed on the compromised host. In general I try to avoid needing to login to my targets. Typically I can own them by abusing the AD and/or ADCS from Kali :) To me this seems like another binary that will be blocked by AV in some time. Maybe you have had better luck?

I noticed all the new enhancements for RPC access. If that is something that came out from the post by TrustedSec then I am happy and will stop trying to get this to work :)