Access denied for DCSync using DC machine account

[b13bs]

Describe the bug Acces denied while trying to dump NTDS using drsuapi method. It was performed with the primary DC machine account, which is not local admin on its machine.

The expected behavior is that it should have worked, since it is working with impacket secretsdump.

To Reproduce The bug might be hard to reproduce since it may be caused by an irregular config in the environment in which it was found. In any case, here is what I performed:

# crackmapexec --verbose smb 192.168.1.1 -u 'DC$' -H redactedNTLMhash --ntds drsuapi
SMB         192.168.1.1    445    DC          [*] Windows Server 2016 Datacenter 14393 x64 (name:DC) (domain:CONTOSO.local) (signing:True) (SMBv1:True)
SMB         192.168.1.1    445    DC          [+] CONTOSO.local\DC$ redactedNTLMhash
SMB         192.168.1.1    445    DC          [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Crackmapexec info

• OS: Kali 2021.2
• Version of CME 5.1.7dev
• Using latest release

[mpgn]

Okay, valid bug ! I found the problem, I will push the code next week. In the meantime, secretdump will do the trick :)

[sebrink]

Isn't this the same issue as #407?

[mpgn]