almondoffsec / passthecert Goto Github PK

Hi,

I very much look forward to use your tool! However, when I tested it in my lab environment today I am unable to request silver tickets. I get the error "Kerberos SessionError: KDC_ERR_BADOPTION(KDC cannot accommodate requested option)". See the picture below:

This is strange since when I perform the same RBCD attack using BloodyAD and the same DC (dc2$) this works. See the picture below:

To me it seems that something is broken with the writing of the delegation rights in the case of your tool.

Any ideas? Thanks!

Hello!

Per this thread I'm excited to give PassTheCert a try but am having an issue. When I run this...

PassTheCert.exe --server FQDN.OF.A.DOMAINCONTROLLER --cert-path domainadmin.pfx --elevate --target "DC=victim,DC=domain" --sid XXX

I get this:

Unhandled Exception: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.Connect()
   at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at PassTheCert.Program.GetSecurityDescriptor(LdapConnection connection, String target, String filter, String attribute, Boolean flag_control)
   at PassTheCert.Program.AclAttack(LdapConnection connection, String target, String filter, String attribute, AccessControlEntry[] new_aces, String restore_file, Boolean flag_control)
   at PassTheCert.Program.ElevateUserAttack(LdapConnection connection, String target, String sid, String restore_file)
   at PassTheCert.Program.Main(String[] args)

Any thoughts? The FQDN.OF.A.DOMAINCONTROLLER is resolvable and online (and a DC :-)

Hello AlmondOffSec friends!

I'm in a situation where I'm trying to figure out if PassTheCert is the right tool for this conundrum I'm in. I've followed this article to use ntlmrelayx + printerbug to relay and then edit the msds-keycredentiallink attribute of VICTIM-SERVER. When I take the next step of using gettgtpkinit.py to request a TGT, I get a long error mentioning KDC has no support for PADATA.

Google searches led me here, and I see some mention of using PassTheCert for shadow creds in issue #18 but I'm not sure if/how it applies to my situation. My goal is to get a TGT for VICTIM-SERVER and then use Kerberos S4U2Self to get a TGS for a service on the host.

Is PassTheCert the right tool for this?

Hello!

I've got an ESC1 vulnerability on a pentest where I've used Certify to request a cert on behalf of a domain admin. In PassTheCert I've done:

PassTheCert.exe --start-tls --server dc.victim.domain --cert-path cert.pfx --elevate --target "dc=victim,dc=domain" --sid XXX

The full error I get is:

Unhandled Exception: System.DirectoryServices.Protocols.TlsOperationException: An unspecified operation error occurred.
   at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
   at PassTheCert.Program.Main(String[] args)

I've tried without --start-tls and error changes to:

Unhandled Exception: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.Connect()
   at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at PassTheCert.Program.GetSecurityDescriptor(LdapConnection connection, String target, String filter, String attribute, Boolean flag_control)
   at PassTheCert.Program.AclAttack(LdapConnection connection, String target, String filter, String attribute, AccessControlEntry[] new_aces, String restore_file, Boolean flag_control)
   at PassTheCert.Program.ElevateUserAttack(LdapConnection connection, String target, String sid, String restore_file)
   at PassTheCert.Program.Main(String[] args)

Any thoughts on what else to try from here?

Hi,
I'm currently in a pentest and ran into the situation where I received the error message "KDC-ERR_PDATA_TYPE-NOSUPP" and came over your tool. However, I received a certificate for a domain controller with the ESC8 vulnerability. Normally I would now use the secretsdump tool to carry out a DcSync attack, which is not possible due to the lack of PKINIT. Is there another way I can take over the domain with the DomainController Computer Account permissions or is it a dead end? I could not find any command which helps me further. Or is some other tool out there for this special scenario?

Many thanks in advance, as the tool had already helped me with fully abusing ADCS ESC1.

Greets,
Barne

I found that most of the old reported issues is with the same title! , i'm wondering why this happened

I scanned all Domain controllers and found that they all have the 389 open port and 636

started the command using the following

passthecert.exe --server dc.contoso.local --cert-path file.pfx --whoami --start-tls

Then the usual error appears! , i wrote a simple app to test the ldap connection on port 389 and it was working , when i tried to debug the passthecert application , i found that the error happened when the whoami command is sent in line 242

Any suggestions on this ?

I have been able to interact with both ldap and ldaps in various different contexts including flagging both ldap and ldaps via certipy, and ldapdomaindump, so this doesn't seem that this is an environmental issue. Connecting to the DC with openssl s_client -connect $DC_IP:636 returns "Can't use SSL_get_servername" but connects and the DC response with the certificate. Any command I attempt with passthecert.py results in the following error:

Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Traceback (most recent call last):
File "/root/tools/PassTheCert/Python/passthecert.py", line 653, in
ldapConn.open()
File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 57, in open
BaseStrategy.open(self, reset_usage, read_server_info)
File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 146, in open
raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket ssl wrapping error: [Errno 2] No such file or directory
socket ssl wrapping error: [Errno 2] No such file or directory

Hello,
I have (for few days) this error when i run passthecert :

┌──(fufu㉿computer)-[~]
└─$ python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain corp.local -dc-ip 172.16.1.1                   
Impacket v0.11.0 - Copyright 2023 Fortra

("('socket ssl wrapping error: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1006)',)",)

I saw on some other issue that you should know if it's not an LDAPS issue. The connexion between the AD and my machine on port 636 and 389 seems ok (nmap/nc + openssl) :

┌──(fufu㉿pan)-[~]
└─$ openssl s_client -connect 172.16.1.1:636
CONNECTED(00000003)
40D76EEFE67F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 430 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

┌──(fufu㉿pan)-[~]
└─$ nc -zv 172.16.1.1 636   
DC01 [172.16.1.5] 636 (ldaps) open

Should i use another version of impacket to use it ? Or should i modify something else in my openssl configuration ?

Regards
Fufu

If an account is compromised with pywhisker.py during a shadow cred attack, a self-signed certificate is registered in LDAP, enabling PKINIT authentication under normal circumstances.
However, if the DC returns the error KDC_ERR_PADATA_TYPE_NOSUPP, would it still be possible to connect to LDAPS using this certificate?

python3 passthecert.py -action whoami -crt shadow_cred.crt -key shadow_cred.key -domain lab.local -dc-host "dc.lab.local" -debug       
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /opt/my-resources/tools/PassTheCert/Python/venv/lib/python3.11/site-packages/impacket
[+] The new computer will be added in CN=Computers,dc=lab,dc=local
Traceback (most recent call last):
  File "/opt/my-resources/tools/PassTheCert/Python/passthecert.py", line 685, in <module>
    manage.whoami()
  File "/opt/my-resources/tools/PassTheCert/Python/passthecert.py", line 453, in whoami
    raise Exception('whoami command failed, certificate seems not trusted by the Active Directory')
Exception: whoami command failed, certificate seems not trusted by the Active Directory
whoami command failed, certificate seems not trusted by the Active Directory

Thank you !

Hi there,

Yesterday when I tried this rbcd attack it worked fine when the machine account was added via ntlmrelayx but today when I manually add a machine as shown using addComputer it can't find it to perform the attack. Any advice?

Thank you

it's throw EXCEPTION
("('socket ssl wrapping error: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3874)',)",)

Hi guys,

I was using your brilliant tool today which got me DA eventually, but I think I noticed an issue in this screenshot. In this it seems you added the delegation to your Dummy computer which you added with add computer but really the attribute should be added the other way round. So the attribute goes onto the DC (in my case) specifying the Dummy computer.

As soon as I did that it worked fine.

Hope this helps

At First: Awesome Work, THX, i like it!

when using -action write_rbcd the delegate-from and delegate-to parameters are mixed up logically.

It should be delegate-from 'dc$' delegate-to 'PC$'

python3 passthecert.py -dc-ip xx.xx.xx.xx -domain xxxxxxxxx -action add_computer -port 636 -crt user.crt -key user.key
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

'ManageComputer' object has no attribute '_ManageComputer__username'

Am guessing its a incompatibility with my version of Impacket?

Hi,

Following up on issue #2.

I'm currently having the same issue.
I started troubleshooting the same way @braimee did here, starting all the way back from the Certipy thread.
Likewise, I also received the Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) error. And I'm currently stuck on the error shown below.

Unhandled Exception: System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.Connect()
   at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at PassTheCert.Program.GetSecurityDescriptor(LdapConnection connection, String target, String filter, String attribute, Boolean flag_control) in [PATH]\PassTheCert.cs:line 117
   at PassTheCert.Program.AclAttack(LdapConnection connection, String target, String filter, String attribute, AccessControlEntry[] new_aces, String restore_file, Boolean flag_control) in [PATH]\PassTheCert.cs:line 205
   at PassTheCert.Program.ElevateUserAttack(LdapConnection connection, String target, String sid, String restore_file) in [PATH]\PassTheCert.cs:line 228
   at PassTheCert.Program.Main(String[] args) in [PATH]\PassTheCert.cs:line 491

I've tried different DCs, all with port 389 and 636 fully open (as shown in nmap).
The --start-tls also just throws a different error for me.

Unhandled Exception: System.DirectoryServices.Protocols.TlsOperationException: An unspecified operation error occurred.
   at System.DirectoryServices.Protocols.LdapSessionOptions.StartTransportLayerSecurity(DirectoryControlCollection controls)
   at PassTheCert.Program.Main(String[] args) in [PATH]\PassTheCert.cs:line 479

Any thoughts on why this error occurs?

My command looks like this:

.\PassTheCert.exe --cert-path admin.pfx --elevate --target DC=test,DC=local --sid [SID] --server [DC]