Open 3v1lg3n7u54007 opened 6 months ago
I think it will be too late but it is the domain controller that does not support PKINIT authentication (kerberos authentication with a certificate). It could be because the DC does not have an installed certificate from your ADCS component.
You can still authenticate though LDAPS (authentication through TLS) with the command: "certipy auth -ldap-shell" and then exploit RBCD.
If you want to patch this issue, you can try to enroll certificates for your domain controller, with the following commands:
certutil -addstore root \\[ADCS]\CertEnroll\[ADCS.domain.local]_[CA-name].crt
certutil -addstore CA \\[ADCS]\CertEnroll\[CA-name].crl
certutil -addstore CA \\[ADCS]\CertEnroll\[CA-name]+.crl
gpupdate /force
More information on this error: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
I deployed an AD Environment for my project but I have been facing some issues lately. I successfully exploited the Certifried Vuln in the AD env and made sure to document the steps and also took a snapshot of the environment that the exploit was working on.
The demo for my project is tomorrow and here I am with some code which was previously working but currently isnt... ;-;
But now I am facing some issue regarding KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type). Is there any suggestions or fixes for this? Would really appreciate the help. Below I have attached the error as well.
PS C:\Users\EAnderson> certipy req -u EAnderson@Activedirectoryenvironment.local -p Employee23213 -ca ActiveDirectoryEnvironment-AD-DOMAIN-CONTR-CA -template User -debug
[+] Trying to resolve 'ACTIVEDIRECTORYENVIRONMENT.LOCAL' at '192.168.15.144' [+] Resolved 'ACTIVEDIRECTORYENVIRONMENT.LOCAL' from cache: 192.168.15.144 [+] Generating RSA key [] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:192.168.15.144[\pipe\cert] [+] Connected to endpoint: ncacn_np:192.168.15.144[\pipe\cert] [] Successfully requested certificate [] Request ID is 362 [] Got certificate with UPN 'EAnderson@ActiveDirectoryEnvironment.local' [] Certificate has no object SID [] Saved certificate and private key to 'eanderson.pfx' PS C:\Users\EAnderson> certipy auth -pfx eanderson.pfx
[] Using principal: eanderson@activedirectoryenvironment.local [] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)