search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.38k stars 3.56k forks source link

net.py can't create a new user when utilizing it through a session from ntlmrelayx #1679

Open enj5oy opened 8 months ago

enj5oy commented 8 months ago

Configuration

impacket version: v0.12.0.dev1+20230817.32422.a769683f Python version: 3.10 Target OS: Windows Server 2016 2024-01-10_21-26

After this command user created with hash 31d6cfe0d16ae931b73c59d7e0c089c0 and user is disabled

NtAlexio2 commented 8 months ago

Please paste debug output as explained in issue template.

enj5oy commented 8 months ago

@NtAlexio2 issue

NtAlexio2 commented 8 months ago

unfortunately I couldn't simulate your situation but the bug is about session_key in (line 2973 in samr.py). By default this key is set while authenticating. I'm not sure how did you get session from ntlmrelayx. could you explain more about your session? I just tested with -k in combination with getTGT.py and it worked without any problem:

┌──(kali㉿kali)-[~/Downloads/impacket-master]
└─$ proxychains python examples/net.py -dc-ip 192.168.8.1 -k -no-pass contoso.local/administrator@victimhost.contoso.local user -create newAdmin -newPasswd Passw0rd
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  192.168.8.12:1080  ...  contoso.local:445   ...  OK
[proxychains] Strict chain  ...  192.168.8.12:1080  ...  192.168.8.1:88      ...  OK
[*] Creating user account 'newAdmin'
[+] user account created succesfully: newAdmin:Passw0rd
enj5oy commented 8 months ago

@NtAlexio2 I start ntlmrelayx 2024-01-16_07-32 Then i coerce authentication from domain admin to attacker host 2024-01-16_07-29 Then i run net.py through proxychains

gabrielg5 commented 7 months ago

Hey,

I was able to replay the issue in my environment. Haven't made much progress yet finding a solution but writing down what I've been checking

Test 1 Trying user account creation with net.py both "using Kerberos authentication" and "directly passing credentials as a command parameter". Both worked fine, user is created ok and no exceptions are shown

Test 2 Triggered ntlmrelayx with -socks. Coerced connection to relay from a workstation Launch net.py with proxychains to create a user. Boom!

Error is in session_key as stated by @NtAlexio2 in a previous comment. When creating a user, that property is used (and needs to not be empty as it's being manipulated - splitted - in the process)

When launching net.py with a relayed connection, session_key is empty. When launching net.py with other auth methods, it is not empty. This is why Test 1 is working fine.

Checked other examples and are performing the same as net.py session_key is empty when relayed and not-empty when not relayed. But they are not doing anything with it, that's why those examples do not fail.

Still have not found why it's not the same or if that property is being manipulated in any of those scenarios and causing this misbehavior