search

gentilkiwi / kekeo

A little toolbox to play with Microsoft Kerberos in C
1.43k stars 211 forks source link

ERROR kull_m_kerberos_asn1_net_SendAndRecv ; Packet size + 4 != Kerberos Packet Size #13

Open Meatballs1 opened 5 years ago

Meatballs1 commented 5 years ago 
  kekeo # tgs::s4u /tgt:TGT_user@QUENTIN.ORG_krbtgt~QUENTIN.ORG@QUENTIN.ORG.kirbi /user:administrator /service:cifs/sphere.quentin.org /ptt
Ticket  : TGT_user@QUENTIN.ORG_krbtgt~QUENTIN.ORG@QUENTIN.ORG.kirbi
  [krb-cred]     S: krbtgt/QUENTIN.ORG @ QUENTIN.ORG
  [krb-cred]     E: [00000012] aes256_hmac
  [enc-krb-cred] P: user @ QUENTIN.ORG
  [enc-krb-cred] S: krbtgt/QUENTIN.ORG @ QUENTIN.ORG
  [enc-krb-cred] T: [21/05/2019 23:51:35 ; 22/05/2019 09:51:35] {R:28/05/2019 23:51:35}
  [enc-krb-cred] F: [40e10000] name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
  [enc-krb-cred] K: ENCRYPTION KEY 18 (aes256_hmac      ): 8ef924459b58faeb940ba1114b8cc1b97aee61eee7bf3377bcf1154a01549693
  [s4u2self]  administrator
[kdc] name: TORUS.QUENTIN.ORG (auto)
[kdc] addr: 10.10.45.174 (auto)
ERROR kull_m_kerberos_asn1_net_SendAndRecv ; Packet size + 4 != Kerberos Packet Size

Windows 2016 DC - Wireshark shows the packet correctly - a TGS REP of 166 bytes.

Meatballs1 commented 5 years ago

Note this domain only supports AES 256. The TGT was retrieved with /aes256

If I try /aes256 with TGS:s4u I get:

KDC_ERR_BADOPTION (13) - 22/05/2019 00:04:05

In wireshark I see a TGS-REQ then a valid TGS-REP then another TGS-REQ before the KRB error which says 'STATUS NOT SUPPORTED' - although that could just be my exploitation scenario failing.