Open raithedavion opened 6 months ago
I've encountered this issue. EDR on the DC is not triggering nor is any other prevention. No crazy RPC hardening has occurred either. I was unable to even get the -just-dc-user
flag to work with a specific user.
Configuration
impacket version: v0.11.0 Python version: 3.11.4 Target OS: Kali
This does not work...
This does?
Additional context
Used petitpotam to get DC's NTLM hashes when went an tried to dump the domain. Trying to dump domain on this client failed, so tried -just-dc-user (rpc_access_denied). Tried just about everything including ticketer, and finally set the KRB5CCNAME and all of a sudden it just works using -just-dc-user.
Repeated the steps, I've set KRB5CCName to blank (export KRB5CCNAMe=) and set it to non-existent files, and blank files (wtf.txt above). For some reason, only with KRB5CCName is set will it dump this domain. I don't know the domain's exact setup so that could have something to do with it, but find it odd that KRB5CCName being set is the fix when using the NTLM hash.