Searching for RPC Functions to Coerce Authentications in Microsoft Protocols

Explore an automated approach to discover Remote Procedure Call (RPC) functions that can coerce authentications in Microsoft protocols during this 30-minute Black Hat conference talk. Learn how to parse Microsoft's OpenSpecs online documentation and Interface Definition Language code to gather data for identifying potential authentication-triggering RPC calls. Discover techniques for generating Python proof-of-concept code to remotely trigger these calls, and see how existing vulnerabilities like PrinterBug, PetitPotam, ShadowCoerce, and DFSCoerce can be found quickly using this method. Gain insights into parsing Microsoft Open Specifications, searching for interesting RPC functions, and autogenerating proof-of-concept scripts. Understand Windows coerced authentication methods, defense techniques, and the use of Coercer in scan mode.

Syllabus

Intro
Required information to call a Remote Procedure
Remote Procedures manipulating files
Automated search of RPCs triggering authentications
Parsing Microsoft Open Specifications documentation
Microsoft Open Specifications structure
Parsing Interface Definition Language (IDL)
Searching for interesting RPC functions
Autogenerating proof of concept python scripts
IDL types vs Impacket types
Windows coerced authentications methods
Coercer: mode scan
Defense techniques