search

p0dalirius / Coercer

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.
https://podalirius.net/
GNU General Public License v2.0
1.76k stars 180 forks source link

[bug] Kerberos authentification #55

Open 4ndr34z opened 1 year ago

4ndr34z commented 1 year ago

Kerberos auth. doesn't seem to be implemented?

7MinSec commented 3 months ago

Ah, I tried to do Kerberos authentication after my password-based auth doesn't seem to work (https://github.com/p0dalirius/Coercer/issues/77), but it doesn't look like Kerberos is fully implemented? Coercer doesn't seem to know about -k and doesn't seem to respect no-pass so I'm stuck.

p0dalirius commented 1 month ago

Hi,

I am working on it, here is the test setup:

$ getTGT.py -dc-ip "SRV-DC01.LAB.local" "LAB"/'Administrator':'Admin123!'
Impacket v0.12.0.dev1+20240604.210053.9734a1af - Copyright 2023 Fortra

[*] Saving ticket in Administrator.ccache

$ KRB5CCNAME=$(pwd)/"Administrator.ccache" ./Coercer.py --debug --verbose --debug scan -k --target-ip SRV-DC01.LAB.local --kdcHost SRV-DC01.LAB.local

       ______
      / ____/___  ___  _____________  _____
     / /   / __ \/ _ \/ ___/ ___/ _ \/ ___/
    / /___/ /_/ /  __/ /  / /__/  __/ /      v2.4.3
    \____/\____/\___/_/   \___/\___/_/       by @podalirius_

[info] Starting scan mode
[info] Connecting with Kerberos, using ccache file: '/workspace/Coercer/Administrator.ccache'
[info] Scanning target SRV-DC01.LAB.local
[*] DCERPC portmapper discovered ports: 49664,49665,49666,49667,49669,63237,49671,49673,49674,49677,49693
[+] DCERPC port '49674' is accessible!
   [+] Successful bind to interface (12345678-1234-ABCD-EF00-0123456789AB, 1.0)!
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\Fssagentrpc] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\efsrpc] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\eventlog] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\lsarpc] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\lsass] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\netdfs] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\netlogon] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\samr] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
         [>] Connecting to ncacn_np:SRV-DC01.LAB.local[\PIPE\spoolss] ... fail
            [!] Something went wrong, check error status => Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
[+] All done! Bye Bye!

I have fixed lots of stuff, I am stuck on KDC_ERR_PREAUTH_FAILED now

image

Best regards,