Open kirtcathey opened 23 hours ago
Hello. Thanks for creating this issue.
It seems to be working for me.
Can you try to show please the content of the command.log file ?
Based on the error SMB 10.129.100.130 445 10.129.100.130 [-] VINTAGE.HTB\P.Rosa from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN
, the FQDN of the DC should have been used and not the IP. linWInPwn uses the FQDN with Kerberos, but not in your case though.
The target (-t) parameter does not accept anything other than an IP. The error says to input an IP if you send anything else. The domain flag (-d) needs to be the TLB for Kerberos auth to work. HOWEVER, I got it to work with the key generated by the tool itself... and when I was referring to the Kerb key before, there was a soft link in the path. Some code does not handle path soft links well...
Doesn't seem to work with Kerberos... any help. Looks like it would be an awesome tool otherwise. Am I missing something? Tried all kinds of cred combinations... CME and NXC authenticates fine.
./linWinPwn.sh -t 10.129.100.130 -d VINTAGE.HTB -u 'P.Rosa' -K '/home/kali/E/PT/HTB/Vintage/linWinPwn_vintage.htb_P.Rosa/Credentials/P.Rosa.ccache' -I tun0 -U domain-users.txt
[+] Tue Dec 3 11:58:24 PM EST 2024
[i] Target domain: vintage.htb [i] Domain Controller's FQDN: dc01.vintage.htb [i] Domain Controller's IP: 10.129.100.130 [i] Domain Controller's ports: RPC open, SMB open, LDAP open, LDAPS open, KRB open, RDP filtered|closed, WinRM open [i] Output folder: /home/kali/E/PT/HTB/Vintage/linWinPwn_vintage.htb_P.Rosa [i] User wordlist file: domain-users.txt [i] Password wordlist file: /usr/share/wordlists/rockyou.txt [i] Attacker's IP: 10.10.16.3 [i] Attacker's Interface: tun0 [i] Current target(s): Domain Controllers SMB 10.129.100.130 445 10.129.100.130 [-] VINTAGE.HTB\P.Rosa from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN [-] Error authenticating to domain! Please check your credentials and try again...