Kerberos authentication doesn't work

[Qayin1337]

Easily reproduceable in my lab, very simple 2 DC, 2016 config level domain, linux (Kali) machine is in the same subnet i tried replacing DC01.qlab.local with pretty much everything else i could thing of, including IP, netbios name, impacket user syntax, etc.

using the same ticket i can successfully execute psexec.py (-k).

this is my command and error: ┌──(root㉿kali)-[/opt/ticket_converter] └─# crackmapexec --verbose smb 192.168.45.10 --kerberos DEBUG Passed args: {'aesKey': None, 'amsi_bypass': None, 'clear_obfscripts': False, 'computers': None, 'connectback_host': None, 'content': False, 'continue_on_success': False, 'cred_id': [], 'darrell': False, 'depth': None, 'disks': False, 'domain': None, 'exclude_dirs': '', 'exec_method': None, 'execute': None, 'export': None, 'fail_limit': None, 'force_ps32': False, 'gen_relay_list': None, 'get_file': None, 'gfail_limit': None, 'groups': None, 'hash': [], 'jitter': None, 'kdcHost': None, 'kerberos': True, 'laps': None, 'list_modules': False, 'local_auth': False, 'local_groups': None, 'loggedon_users': False, 'lsa': False, 'module': None, 'module_options': [], 'no_bruteforce': False, 'no_output': False, 'ntds': None, 'obfs': False, 'only_files': False, 'pass_pol': False, 'password': [], 'pattern': None, 'port': 445, 'protocol': 'smb', 'ps_execute': None, 'put_file': None, 'regex': None, 'rid_brute': None, 'sam': False, 'server': 'https', 'server_host': '0.0.0.0', 'server_port': None, 'sessions': False, 'share': 'C$', 'shares': False, 'show_module_options': False, 'smb_server_port': 445, 'smb_timeout': 2, 'spider': None, 'spider_folder': '.', 'target': ['192.168.45.10'], 'threads': 100, 'timeout': None, 'ufail_limit': None, 'username': [], 'users': None, 'verbose': True, 'wmi': None, 'wmi_namespace': 'root\cimv2'} DEBUG Using selector: EpollSelector DEBUG Running DEBUG Started thread poller SMB 192.168.45.10 445 DC01 [] Windows Server 2016 Standard Evaluation 14393 x64 (name:DC01) (domain:Qlab.local) (signing:True) (SMBv1:True) DEBUG Stopped thread poller Traceback (most recent call last): File "/usr/bin/crackmapexec", line 8, in sys.exit(main()) File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 254, in main asyncio.run( File "/usr/lib/python3.9/asyncio/runners.py", line 44, in run return loop.run_until_complete(main) File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete return future.result() File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 102, in start_threadpool await asyncio.gather(jobs) File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 68, in run_protocol await asyncio.wait_for( File "/usr/lib/python3.9/asyncio/tasks.py", line 442, in wait_for return await fut File "/usr/lib/python3.9/concurrent/futures/thread.py", line 58, in run result = self.fn(*self.args, **self.kwargs) File "/usr/lib/python3/dist-packages/cme/protocols/smb.py", line 125, in init connection.init(self, args, db, host) File "/usr/lib/python3/dist-packages/cme/connection.py", line 62, in init self.proto_flow() File "/usr/lib/python3/dist-packages/cme/connection.py", line 98, in proto_flow if self.login() or (self.username == '' and self.password == ''): File "/usr/lib/python3/dist-packages/cme/connection.py", line 163, in login if self.kerberos_login(self.aesKey, self.kdcHost): return True TypeError: kerberos_login() missing 1 required positional argument: 'kdcHost'

CME Version (cme --version)

crackmap exec version 5.2.2 (The Dark Knight)

OS

Kali 2022.1

Target OS

Win server 2016

[TahiTi]

The debug output says this on the last line: TypeError: kerberos_login() missing 1 required positional argument: 'kdcHost'

Have you tried to specify the --kdcHost option?

[mpgn]

Did you check the wiki ? https://mpgn.gitbook.io/crackmapexec/getting-started/using-kerberos

[devx00]

Did you check the wiki ? https://mpgn.gitbook.io/crackmapexec/getting-started/using-kerberos

I have and I am still receiving the same error as @Qayin1337 . Its like it isnt reading the --kdcHost argument.

Actually I think I found the issue.

The smb connection class defines 3 params for kerberos_login https://github.com/byt3bl33d3r/CrackMapExec/blob/70033f83ff686be1877a851d9087d6678bdff6d8/cme/protocols/smb.py#L331 but it was being called with only 2, in the 5.2.2dev release, the last being the kdcHost https://github.com/byt3bl33d3r/CrackMapExec/blob/8118e9078e525566322c2942fd1f0984e182ab32/cme/connection.py#L163

That appears to have been fixed in master but not released yet. https://github.com/byt3bl33d3r/CrackMapExec/blob/70033f83ff686be1877a851d9087d6678bdff6d8/cme/connection.py#L163

@Qayin1337 you may be able to fix your issue by following the wiki and then installing cme from the master branch rather than the most recent release. @mpgn any chance we can get a release build with that fix included?

[mpgn]

I will release tomorrow or next week yep