X-C3LL
commented
2 years ago Is it office 64 bits or 32 bits?
Also: can print the value of ResponseSize (use MsgBox) and query the same TGS with mimikatz/rubeus/impacket ?
Open kram12085 opened 2 years ago
X-C3LL
commented
2 years ago Is it office 64 bits or 32 bits?
Also: can print the value of ResponseSize (use MsgBox) and query the same TGS with mimikatz/rubeus/impacket ?
kram12085
commented
2 years ago Is it office 64 bits or 32 bits?
Also: can print the value of ResponseSize (use MsgBox) and query the same TGS with mimikatz/rubeus/impacket ?
64 bit. The script won't work with 32 due to the longlong data type.
The SPNs that didn't error had ResponseSizes of around 3055. It was one with a ResponseSize of 0 that triggered the error, I'm assuming is maybe a misconfigured or unreachable SPN. The kirbi files however, don't seem to be the expected hash, attached is one example that didn't cause the error (renamed .log to allow for attaching). TERMSRV.test.home.com.log
X-C3LL
commented
2 years ago Yep, I can not parse it. Can you paste the whole KERB_RETRIEVE_TKT_RESPONSE?
'Copy KERB_RETRIEVE_TKT_RESPONSE structure to an array
Dim Response() As Byte
Dim Data As String
ReDim Response(0 To ResponseSize)
Call CopyMemory(VarPtr(Response(0)), KerbRetrieveResponse, ResponseSize)
<--- Copy Response to a fileYep, I can not parse it. Can you paste the whole KERB_RETRIEVE_TKT_RESPONSE?
??TThat's it for Response. I'm only a novice at NetSec but am thoroughly confused as to what's happening. Have no issues using Rubeus to obtain the hash.
I'm wondering if it could be some old misconfigured SPNs since I've messed with the test system a lot through the years. Is there a way to target a specific SPN instead of roasting every one in the domain?
X-C3LL
commented
2 years ago Copy the content to a file (you can reuse the loop code) so I can see exactly what is the content and why is failing. In the .kirbi I can see parts that are ok, but others deviates from what I was expecting.
To query a TGS for a specific user you can edit the LDAP query:
objCommand.CommandText = _
"<LDAP://" & strDomain & ">;(&(samAccountType=805306368)(samAccountName=YOURUSER));,servicePrincipalName;subtree"Here's Reponse pointed to write to the file in lieu of encodedTicket. Thanks again for helping us learn! TERMSRV.test.home.com_response.log
One of the more fascinating blogs I've come across! Trying the kerberoast.vba POC on my test machine, I'm getting a "Subscript out of range" error at the line that reads the EncodedTicketSize at offset 136. It still generates a .kirbi file but it's full of garbage. Any clue why?