search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.49k stars 3.57k forks source link

[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked) #1661

Closed infosecconsultant closed 8 months ago

infosecconsultant commented 10 months ago

Configuration

impacket version: v0.11.0 Python version: 3.11 Target OS: MacOS

Debug Output With Command String

smbclient.py domain.local/administrator@domainconller.domain.local -k -no-pass -dc-ip 10.10.10.10 -file shellargs.txt -debug

/usr/local/bin/smbclient.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.11.0', 'smbclient.py')
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/local/lib/python3.11/site-packages/impacket-0.11.0-py3.11.egg/impacket
[+] Using Kerberos Cache: /Users/admin/Desktop/administrator.ccache
[+] SPN CIFS/domainconller.domain.local@domain.local not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/domain.local@domain.local
[+] Using TGT from cache
[+] Trying to connect to KDC at 10.10.10.10:88
[+] Server time (UTC): 2023-12-11 02:05:13
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/impacket-0.11.0-py3.11.egg/EGG-INFO/scripts/smbclient.py", line 100, in main
    smbClient.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip )
  File "/usr/local/lib/python3.11/site-packages/impacket-0.11.0-py3.11.egg/impacket/smbconnection.py", line 335, in kerberosLogin
    raise e
  File "/usr/local/lib/python3.11/site-packages/impacket-0.11.0-py3.11.egg/impacket/smbconnection.py", line 319, in kerberosLogin
    return self._SMBConnection.kerberosLogin(user, password, domain, lmhash, nthash, aesKey, kdcHost, TGT,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/impacket-0.11.0-py3.11.egg/impacket/smb3.py", line 713, in kerberosLogin
    tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, domain, kdcHost, tgt, cipher, sessionKey)
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/impacket-0.11.0-py3.11.egg/impacket/krb5/kerberosv5.py", line 444, in getKerberosTGS
    r = sendReceive(message, domain, kdcHost)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/impacket-0.11.0-py3.11.egg/impacket/krb5/kerberosv5.py", line 91, in sendReceive
    raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)
[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)

Additional context

I've been testing out different golden ticket creation methods. Running the commands with -aesKey <AES128/256> flag works perfectly and mints the tickets. However, using the NT hash for the KRBTGT account fails.

This works: ticketer.py -ts -aesKey <AES_256> -domain-sid S-1-5-21-<SID> -domain domain.local -user-id 500 administrator

This does not: ticketer.py -ts -nthash <NTHASH> -domain-sid S-1-5-21-<SID> -domain domain.local -user-id 500 administrator

I'm trying to understand why and I'm not sure if this is a bug or I'm doing something wrong. Any help would be appreciated.

anadrianmanrique commented 10 months ago

this one seems to be a duplicate of #1601

anadrianmanrique commented 8 months ago

closing this one. lets follow this up in #1601. thanks