Dec0ne / KrbRelayUp

KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
1.53k stars 202 forks source link

Recieved invalid apReq, exploit will fail #2

Closed 0xhukaro closed 2 years ago

0xhukaro commented 2 years ago

Tested against a few Windows10 machines, Couldn't seem to solve this. LDAP Server Signing is not enabled. I'm not sure what's causing this, Looking for a fix right now Screenshot 2022-04-27 013723

bestrocker221 commented 2 years ago

Same exact Issue here. LDAP signing disabled

Neo23x0 commented 2 years ago

Same here

0xBrAinsTorM commented 2 years ago

Got it working in an old lab setup (https://github.com/clong/DetectionLab) which still was idling around. It's not working on another lab i have.

grafik

Unfortunately i don't have the time to investigate the differences.

nodauf commented 2 years ago

There could be multiple issues. But in my case, I compared two pcaps and in the one where the error Received invalid apReq, exploit will fail was returned, the coerced authentication was NTLM authentication instead of kerberos.

The difference is clear in the packet Bind: call_id: 2, Fragment: Single, 3 context items: IRemUnknown2 V0.0 ...

When this error is returned, the packet looks like this: image

When the tool is working as intended, the packet looks like this: image

For the negotiation part: When the error is returned: image (notice the PrincName)

When the tool is working as intended, the packet looks like this: image

That are the two main differences between the two cases. I have no idea why but it may help someone else to dig in the right direction (thanks to @und3ath for the pcap)

kinomakino commented 2 years ago

Same scenario whit this tool and krbrelay (main)

Dec0ne commented 2 years ago

I've pushed an update that I think will fix the issue. Mainly, I removed the built-in C# DirectoryServices method of finding the domain controller which is initializing the COM interface in the process before the tool has a chance to initialize it itself with its hooks and settings that it needs.

If my suspicions are correct, once run the updated version you will get an error stating that the tool could not find the domain controller FQDN and it will ask you to specify it manually with the --DomainController flag. I hope that once you do that the tool will run without the issue.

Let me know if that solves it :)

0xhukaro commented 2 years ago

The new update solved the issue, Great work :)