lefayjey / linWinPwn

linWinPwn is a bash script that streamlines the use of a number of Active Directory tools
MIT License
1.83k stars 267 forks source link

Kerberos Auth Not Working #35

Open kirtcathey opened 23 hours ago

kirtcathey commented 23 hours ago

Doesn't seem to work with Kerberos... any help. Looks like it would be an awesome tool otherwise. Am I missing something? Tried all kinds of cred combinations... CME and NXC authenticates fine.

./linWinPwn.sh -t 10.129.100.130 -d VINTAGE.HTB -u 'P.Rosa' -K '/home/kali/E/PT/HTB/Vintage/linWinPwn_vintage.htb_P.Rosa/Credentials/P.Rosa.ccache' -I tun0 -U domain-users.txt

   _        __        ___       ____                  
  | |(_)_ __\ \      / (_)_ __ |  _ \__      ___ __   
  | || | '_  \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \  
  | || | | | |\ V  V / | | | | |  __/ \ V  V /| | | | 
  |_||_|_| |_| \_/\_/  |_|_| |_|_|     \_/\_/ |_| |_| 

  linWinPwn: version 1.0.29 
  https://github.com/lefayjey/linWinPwn
  Author: lefayjey
  Inspired by: S3cur3Th1sSh1t's WinPwn

[+] Tue Dec 3 11:58:24 PM EST 2024

[i] Target domain: vintage.htb [i] Domain Controller's FQDN: dc01.vintage.htb [i] Domain Controller's IP: 10.129.100.130 [i] Domain Controller's ports: RPC open, SMB open, LDAP open, LDAPS open, KRB open, RDP filtered|closed, WinRM open [i] Output folder: /home/kali/E/PT/HTB/Vintage/linWinPwn_vintage.htb_P.Rosa [i] User wordlist file: domain-users.txt [i] Password wordlist file: /usr/share/wordlists/rockyou.txt [i] Attacker's IP: 10.10.16.3 [i] Attacker's Interface: tun0 [i] Current target(s): Domain Controllers SMB 10.129.100.130 445 10.129.100.130 [-] VINTAGE.HTB\P.Rosa from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN [-] Error authenticating to domain! Please check your credentials and try again...

lefayjey commented 22 hours ago

Hello. Thanks for creating this issue.

It seems to be working for me. image

Can you try to show please the content of the command.log file ? Based on the error SMB 10.129.100.130 445 10.129.100.130 [-] VINTAGE.HTB\P.Rosa from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN, the FQDN of the DC should have been used and not the IP. linWInPwn uses the FQDN with Kerberos, but not in your case though.

kirtcathey commented 5 hours ago

The target (-t) parameter does not accept anything other than an IP. The error says to input an IP if you send anything else. The domain flag (-d) needs to be the TLB for Kerberos auth to work. HOWEVER, I got it to work with the key generated by the tool itself... and when I was referring to the Kerb key before, there was a soft link in the path. Some code does not handle path soft links well...