search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.45k stars 3.57k forks source link

Access Denied with LogonNetworkTransitive on AD 2022 #1354

Open extrafu opened 2 years ago

extrafu commented 2 years ago

Hello,

Using impacket v0.10 with AD 2022. When trying to do an LogonNetworkTransitive using the code below, I get the following error: impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. From AD's GPO editor, if I add the machine_user (cluster1 in my case) to "Domain controller: Allow vulnerable Netlogon secure channel connections", everything works as expected. So my question is what can be changed in the code below so that it works without adding the machine_user to that exception list? A secure channel is supposedly already established.

#!/usr/bin/env python
import argparse
import binascii
from binascii import unhexlify, hexlify

import sys
import time

from impacket.dcerpc.v5 import nrpc, epm
from impacket.dcerpc.v5 import transport

ad_ip = '172.20.20.232'
serverName = 'WIN-HOTO5OA823F.nachos.local'
machine_user = 'cluster1$'
lmhash = 'thelmhash'
nthash = 'thenthash'

domain = 'nachos'
username= 'administrator'
challenge = 'dbb7dacb353c11bc'
nt_response = 'a2568637cae095a457278c6ceb4de3961a06b772b85a0985'
request_nt_key = 1

stringBinding = epm.hept_map(ad_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
rpctransport = transport.DCERPCTransportFactory(stringBinding)
rpctransport.set_credentials(machine_user, '', domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)

resp = nrpc.hNetrServerReqChallenge(dce, serverName, machine_user, b'12345678')
serverChallenge = resp['ServerChallenge']

bnthash = unhexlify(nthash)
sessionKey = nrpc.ComputeSessionKeyStrongKey('', b'12345678', serverChallenge, bnthash)

clientStoredCredential = nrpc.ComputeNetlogonCredential(b'12345678',sessionKey)

flags = 0x600FFFFF
resp = nrpc.hNetrServerAuthenticate3(dce, serverName, machine_user + '\x00',
                                     nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
                                     machine_user, clientStoredCredential, flags)
timestamp = 0

request = nrpc.NetrLogonSamLogon()
request['LogonServer'] = serverName + '\x00'
request['ComputerName'] = machine_user + '\x00'
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity']['LogonDomainName'] = domain
request['LogonInformation']['LogonNetworkTransitive']['Identity']['ParameterControl'] = 2 + 2 ** 14 + 2 ** 7 + 2 ** 9 + 2 ** 5 + 2 ** 11
request['LogonInformation']['LogonNetworkTransitive']['Identity']['UserName'] = username
request['LogonInformation']['LogonNetworkTransitive']['Identity']['Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive']['LmChallenge'] = binascii.unhexlify(challenge)
request['LogonInformation']['LogonNetworkTransitive']['NtChallengeResponse'] = binascii.unhexlify(nt_response)
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['Authenticator'] = nrpc.ComputeNetlogonAuthenticator(clientStoredCredential, sessionKey)
request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = timestamp

resp = dce.request(request)

if request_nt_key:
        sessionKey = resp['ValidationInformation']['ValidationSam4']['UserSessionKey']
        print('NT_KEY: ' + binascii.hexlify(sessionKey).decode("ascii").upper())

sys.exit(0)
extrafu commented 2 years ago

Quick update, I've added:

dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.set_auth_type(RPC_C_AUTHN_WINNT)

and still get the access denied error. I also get the error with:

dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.set_auth_type(RPC_C_AUTHN_NETLOGON)
dce.set_credentials(*(rpctransport.get_credentials()))
extrafu commented 2 years ago

From https://github.com/SecureAuthCorp/impacket/commit/ecc3008d3bad6e53204d38e93f3bda1d99b0000c -- @0xdeaddood it looks like it's expected to fail since a secure RPC session is required. What is required here to establish one? Thanks

ly4k commented 1 year ago

Any updates on this? Getting the same error even after adding the machine to the GPO.