cred1py: A tool used to exploit CRED-1 over a SOCKS5 connection
Overview
This is a tool used to exploit CRED-1 over a SOCKS5 connection (with UDP support).
How CRED-1 Attack Works
CRED-1 can be broken down into the following steps:
- Send a DHCP Request for the PXE image over UDP 4011
- SCCM responds with image path and crypto keys to decrypt the referenced variables file
At this stage, two files are downloaded over TFTP, for example:
2024.09.03.23.35.22.0001.{FEF9DEEE-4C4A-43EF-92BF-2DD23F3CE837}.boot.var2024.09.03.23.35.22.07.{FEF9DEEE-4C4A-43EF-92BF-2DD23F3CE837}.boot.bcd
Next CRED-1 takes the crypto keys returned in the DHCP response, and takes one of two paths depending on the content:
- If the crypto key is provided, password based encryption is disabled, and therefore a key derivation function is run to produce an AES key to decrypt the variables file
OR
- If no crypto key is provided, password based encryption is enabled, and a HashCat ouotput is produced from the variables file to allow us to recover the encryption key
Once the key has been recovered (or provided), the variable file can be decrypted and the contents can be used to retrieve Network Access Account username/password.
Further information on this attack can be found in Misconfiguration Manager.
How Cred1Py Works
Cred1Py attempts to perform this flow over a SOCKS5 connection, due to UDP support being provided as part of the SOCKS5 specification and included in products such as Cobalt Strike.
There are a few differences to the Cred1py implementation to tools like PxeThiefy as SOCKS5 limits our ability to retrieve TFTP files (we can’t determine the source port used during the data transfer and therefore can’t download more than a handful of bytes).
This means that the requirements for Cred1Py are:
- An implant executing with SOCKS5 enabled
- Ability to make a SMB connection to a distribution server (this replaces the TFTP component of PxeThiefy)
Once the requirements are met, Cred1Py:
- Sends a DHCP Request for the PXE image and crypto key
- Retrieves the crypto keying material
- Downloads the first 512 bytes of the variables file (possible as this is sent by TFTP server without establishing a TID which needs source port)
- Outputs either a crypto key, or a hashcat hash, as well as the path to the boot variable file returned via DHCP
At this point, we will need to use our C2 to download the boot variable file, for example in Cobalt Strike we can use:
download \\sccmserver.lab.local\REMINST\SMSTemp\BootFileName.boot.var
Now if you have a password to crack.. crack it and then pass it as an argument to pxethiefy.py:
python ./pxethiefy.py decrypt -f /tmp/BootFileName.boot.var PASSWORD_HERE
decrypt_media_file(args.mediafile, b’\x41\x42\x43\x44…….’):
We then use PxeThiefy.py to decrypt the boot.var file with our recovered key by just invoking with any old password:
python ./pxethiefy.py decrypt -f /tmp/BootFileName.boot.var USE_THE_SOURCE_LUKE
