search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.35k stars 1.64k forks source link

Fix ccache kerberos auth using rpc #738

Closed lefayjey closed 1 year ago

lefayjey commented 1 year ago

Hello ! The kerberos authentication using a ccache file was returning a "logon" failure when using RPC/SMB with the users enumeration --users, Password policy --pass-pol and the modules shadowcoerce, petitpotam, dfscoerce. I've tested the fix using the NTLM password and kerberos using a ccache, and it's working for me.

Thanks!

Output before the fix:

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache --users
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 
SMB         meereen.essos.local 445    MEEREEN          [-] Error enumerating domain users using dc ip meereen.essos.local: NTLM needs domain\username and a password
SMB         meereen.essos.local 445    MEEREEN          [*] Trying with SAMRPC protocol

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache --pass-pol
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache -M shadowcoerce
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache -M petitpotam
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache -M dfscoerce
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache

Verbose: cme_output_verbose.txt

Output after the fix:

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; poetry run crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache --users
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 
SMB         meereen.essos.local 445    MEEREEN          [-] Error enumerating domain users using dc ip meereen.essos.local: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
SMB         meereen.essos.local 445    MEEREEN          [*] Trying with SAMRPC protocol
SMB         meereen.essos.local 445    MEEREEN          [+] Enumerated domain user(s)
SMB         meereen.essos.local 445    MEEREEN          essos.local\Administrator                  Built-in account for administering the computer/domain
SMB         meereen.essos.local 445    MEEREEN          essos.local\Guest                          Built-in account for guest access to the computer/domain
SMB         meereen.essos.local 445    MEEREEN          essos.local\krbtgt                         Key Distribution Center Service Account
SMB         meereen.essos.local 445    MEEREEN          essos.local\DefaultAccount                 A user account managed by the system.
SMB         meereen.essos.local 445    MEEREEN          essos.local\snaplabs                       
SMB         meereen.essos.local 445    MEEREEN          essos.local\daenerys.targaryen             Darnerys Targaryen
SMB         meereen.essos.local 445    MEEREEN          essos.local\viserys.targaryen              Viserys Targaryen
SMB         meereen.essos.local 445    MEEREEN          essos.local\khal.drogo                     Khal Drogo
SMB         meereen.essos.local 445    MEEREEN          essos.local\jorah.mormont                  Jorah Mormont
SMB         meereen.essos.local 445    MEEREEN          essos.local\sql_svc                        sql service

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; poetry run crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache --pass-pol
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 
SMB         meereen.essos.local 445    MEEREEN          [+] Dumping password info for domain: ESSOS
SMB         meereen.essos.local 445    MEEREEN          Minimum password length: 5
SMB         meereen.essos.local 445    MEEREEN          Password history length: 24
SMB         meereen.essos.local 445    MEEREEN          Maximum password age: 311 days 2 minutes 
SMB         meereen.essos.local 445    MEEREEN          
SMB         meereen.essos.local 445    MEEREEN          Password Complexity Flags: 000000
SMB         meereen.essos.local 445    MEEREEN              Domain Refuse Password Change: 0
SMB         meereen.essos.local 445    MEEREEN              Domain Password Store Cleartext: 0
SMB         meereen.essos.local 445    MEEREEN              Domain Password Lockout Admins: 0
SMB         meereen.essos.local 445    MEEREEN              Domain Password No Clear Change: 0
SMB         meereen.essos.local 445    MEEREEN              Domain Password No Anon Change: 0
SMB         meereen.essos.local 445    MEEREEN              Domain Password Complex: 0
SMB         meereen.essos.local 445    MEEREEN          
SMB         meereen.essos.local 445    MEEREEN          Minimum password age: 1 day 4 minutes 
SMB         meereen.essos.local 445    MEEREEN          Reset Account Lockout Counter: 5 minutes 
SMB         meereen.essos.local 445    MEEREEN          Locked Account Duration: 5 minutes 
SMB         meereen.essos.local 445    MEEREEN          Account Lockout Threshold: 5
SMB         meereen.essos.local 445    MEEREEN          Forced Log off Time: Not Set

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; poetry run crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache -M shadowcoerce
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; poetry run crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache -M petitpotam
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 
PETITPOT... meereen.essos.local 445    MEEREEN          VULNERABLE
PETITPOT... meereen.essos.local 445    MEEREEN          Next step: https://github.com/topotam/PetitPotam

export KRB5CCNAME=/opt/Temp/GOAD/sql_svc.ccache; poetry run crackmapexec smb meereen.essos.local -u sql_svc --kdcHost meereen.essos.local --use-kcache -M dfscoerce
SMB         meereen.essos.local 445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         meereen.essos.local 445    MEEREEN          [+] essos.local\sql_svc from ccache 
DFSCOERC... meereen.essos.local 445    MEEREEN          VULNERABLE
DFSCOERC... meereen.essos.local 445    MEEREEN          Next step: https://github.com/Wh04m1001/DFSCoerce
mpgn commented 1 year ago

Thanks for the PR, the pr is now merged on the last official repository of CrackMapExec

https://github.com/mpgn/CrackMapExec/commit/0a472e9366c583ec63d8604c167abceaad85723e https://github.com/mpgn/CrackMapExec/commit/5f5884785faa7c664633d56a247a2c16febe6503

Send me a DM on twitter to get your coin :)

lefayjey commented 1 year ago

Awesome! Thanks

I've reached out to you on Twitter :)