NTDS fails on renamed domain

Steps to reproduce

use rendom to rename the domain
attempt to dump ntds hashes

possibly related to impacket issue: https://github.com/CoreSecurity/impacket/issues/150

currently using impacket (and crackmap) version installed with pip: impacket (0.9.15) crackmapexec (3.1.5)

Command string used

crackmapexec -u administrator -p P@ssw0rd1 --ntds drsuapi 192.168.32.228

CME verbose output (using the --verbose flag)

` DEBUG {'domain': None, 'wdigest': None, 'verbose': True, 'sam': False, 'cred_id': [], 'module_options': [], 'fail_limit': None, 'share': 'C$', 'lusers': False, 'module': None, 'smb_port': 445, 'show_options': False, 'rid_brute': None, 'uac': False, 'ufail_limit': None, 'pass_pol': False, 'regex': None, 'list_modules': False, 'no_output': False, 'pattern': None, 'lsa': False, 'force_ps32': False, 'shares': False, 'content': False, 'server_host': '0.0.0.0', 'wmi': None, 'exclude_dirs': '', 'server_port': None, 'wmi_namespace': '//./root/cimv2', 'gfail_limit': None, 'mssql_query': None, 'username': ['administrator'], 'hash': [], 'users': False, 'sessions': False, 'exec_method': None, 'spider': None, 'ps_execute': None, 'threads': 100, 'mssql_port': 1433, 'password': ['P@ssw0rd1'], 'mssql': False, 'mssql_auth': 'windows', 'ntds_pwdLastSet': False, 'execute': None, 'target': ['192.168.32.228'], 'ntds_history': False, 'disks': False, 'ntds': 'drsuapi', 'server': 'https', 'depth': 10, 'local_auth': False, 'timeout': 20} CME 192.168.32.228:445 WIN-IR3PCFQV3BS [*] Windows 6.1 Build 7601 (name:WIN-IR3PCFQV3BS) (domain:ROOT) CME 192.168.32.228:445 WIN-IR3PCFQV3BS [+] ROOT\administrator:P@ssw0rd1 (Pwn3d!) DEBUG Service RemoteRegistry is already running DEBUG Retrieving class info for JD DEBUG Retrieving class info for Skew1 DEBUG Retrieving class info for GBG DEBUG Retrieving class info for Data DEBUG Target system bootKey: 0x3f381317ccec6983e02bf35f4c4d63ba DEBUG Checking NoLMHash Policy DEBUG LMHashes are NOT being stored DEBUG Saving output to /Users/coryj/.cme/logs/WIN-IR3PCFQV3BS_192.168.32.228 CME 192.168.32.228:445 WIN-IR3PCFQV3BS [+] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) CME 192.168.32.228:445 WIN-IR3PCFQV3BS [+] Using the DRSUAPI method to get NTDS.DIT secrets DEBUG Session resume file will be sessionresume_UlIsOSTL DEBUG DRSBind() answer DRSBindResponse ppextServer: cb: 48 rgb: [ '\x7f', '\xff', '\xff', '?', '\xf3', '\xc2', '9', 'L', '\xec', 'W', '\xea', 'I', '\xbc', '\xa7', 'J', 'T', '\xab', 'B', 'O', '=', '\xe0', '\x01', '\x00', '\x00', '\x01', '\x00', '\x00', '\x00', '\x02', '\x00', '\x00', '\x00', '\xdd', '!', '\xbc', 'C', '\xb6', '\x8c', '\xd3', 'F', '\xae', 'G', '\xf3', '|', 'B', '\xe0', '\xf7', '\x1c', ] phDrs: '\x00\x00\x00\x00|J\x8d\xec\x7f\xf7\x98@\x9a\xca\x10\xbd\x7f8\xf2\x03' ErrorCode: 0

DEBUG DRSDomainControllerInfo() answer DRSDomainControllerInfoResponse pdwOutVersion: 2 pmsgOut: tag: 2 V2: cItems: 1 rItems: [

            NetbiosName:                     u'WIN-IR3PCFQV3BS\x00'
            DnsHostName:                     u'WIN-IR3PCFQV3BS.root.vm.local\x00'
            SiteName:                        u'Default-First-Site-Name\x00'
            SiteObjectName:                  u'CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=root,DC=vm,DC=local\x00'
            ComputerObjectName:              u'CN=WIN-IR3PCFQV3BS,OU=Domain Controllers,DC=root,DC=vm,DC=local\x00'
            ServerObjectName:                u'CN=WIN-IR3PCFQV3BS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=root,DC=vm,DC=local\x00'
            NtdsDsaObjectName:               u'CN=NTDS Settings,CN=WIN-IR3PCFQV3BS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=root,DC=vm,DC=local\x00'
            fIsPdc:                          1
            fDsEnabled:                      1
            fIsGc:                           1
            SiteObjectGuid:                  '\xf3\xc29L\xecW\xeaI\xbc\xa7JT\xabBO='
            ComputerObjectGuid:              '\x01\x01\xd0\xd2\x07\x85\xdbA\x8el\xed\xb6\x03\xfb\t\n'
            ServerObjectGuid:                'i\xd5\x80\x0b\xd0\x83$C\xb0\x9bS\xb6!!\x87\xf1'
            NtdsDsaObjectGuid:               '<\xa3\x08,A\x86mJ\xa4\x17/\xec\xe5\x84\x89\xfe' ,
        ]

ErrorCode: 0

Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/gevent/greenlet.py", line 536, in run result = self._run(*self.args, *self.kwargs) File "/usr/local/lib/python2.7/site-packages/cme/connection.py", line 173, in init getattr(self, k)() File "/usr/local/lib/python2.7/site-packages/cme/connection.py", line 39, in _decorator return func(self, args, **kwargs) File "/usr/local/lib/python2.7/site-packages/cme/connection.py", line 507, in ntds DumpSecrets(self).NTDS_dump(self.args.ntds, self.args.ntds_pwdLastSet, self.args.ntds_history) File "/usr/local/lib/python2.7/site-packages/cme/credentials/secretsdump.py", line 150, in NTDS_dump self.NTDSHashes.dump() File "/usr/local/lib/python2.7/site-packages/cme/credentials/ntds.py", line 625, in dump userRecord = self.remoteOps.DRSGetNCChanges(crackedName['pmsgOut']['V1']['pResult']['rItems'][0]['pName'][:-1]) File "/usr/local/lib/python2.7/site-packages/cme/remoteoperations.py", line 179, in DRSGetNCChanges return self.__drsr.request(request) File "/usr/local/lib/python2.7/site-packages/impacket/dcerpc/v5/rpcrt.py", line 859, in request raise exception DCERPCSessionError: DRSR SessionError: code: 0x2191 - ERROR_DS_DIFFERENT_REPL_EPOCHS - The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress). Tue Sep 12 09:33:34 2017 <Greenlet at 0x1087e7cd0: Connection(Namespace(content=False, cred_id=[], depth=10, dis, <cme.database.CMEDatabase instance at 0x10892aa28>, '192.168.32.228', None, None)> failed with DCERPCSessionError `

OS

MacOS 10.12.6

Target OS

Server 2008r2 Standard

Detailed issue explanation

See above

byt3bl33d3r / CrackMapExec