Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception when using rc4opsec and targeting SPN(s) with service names #43

Closed
2XXE-SRA opened this issue Apr 9, 2020 · 9 comments
Closed

Exception when using rc4opsec and targeting SPN(s) with service names #43

2XXE-SRA opened this issue Apr 9, 2020 · 9 comments

Comments

@2XXE-SRA
Copy link

2XXE-SRA commented Apr 9, 2020

Situation: target user has an SPN set that has a form like "HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local" (ex: https://docs.microsoft.com/en-us/windows/win32/ad/name-formats-for-unique-spns#replicable-services) and msDS-SupportedEncryptionTypes is not set. Rubeus kerberoasts as expected when run without any arguments but throws the following exception when run with rc4opsec:

[X] Error: invalid TGS_REQ sname 'HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local'
[X] KRB-ERROR (60) : KRB_ERR_GENERIC
[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN
[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN

Removing the the "/CN=Users,DC=domain,DC=local" portion resolves the issue.

Full output:
w/o rc4opsec

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[*] Total kerberoastable users : 1


[*] SamAccountName         : user
[*] DistinguishedName      : CN=user,CN=Users,DC=domain,DC=local
[*] ServicePrincipalName   : HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local
[*] PwdLastSet             : 3/10/2020 3:11:27 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*<snip>

w/ rc4opsec

[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user
[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts that only support RC4_HMAC, no AES

[*] Total kerberoastable users : 1


[*] SamAccountName         : user
[*] DistinguishedName      : CN=user,CN=Users,DC=domain,DC=local
[*] ServicePrincipalName   : HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local
[*] PwdLastSet             : 3/10/2020 3:11:27 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[X] Error: invalid TGS_REQ sname 'HTTP/computer.domain.local:10000/CN=Users,DC=domain,DC=local'

[X] KRB-ERROR (60) : KRB_ERR_GENERIC


[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN


[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN

I've also experienced this issue in other environments, however the error was the same as #42 rather than the above.
@HarmJ0y
Copy link
Member

HarmJ0y commented Apr 14, 2020

Interesting, thanks for the report, I'll try to look into this soon once I can recreate.

HarmJ0y added a commit that referenced this issue Apr 14, 2020
@HarmJ0y
Fix for issue #43
f7c614e 
Fix for issue #43 - kerberoasting/TGS-REQ compatibility for SPNs with 3 parts.
@HarmJ0y
Copy link
Member

HarmJ0y commented Apr 14, 2020

This should now be fixed in the master branch as of f7c614e . I'm closing for now, but feel free to reopen if the fix doesn't work.

@HarmJ0y HarmJ0y closed this as completed Apr 14, 2020
@2XXE-SRA
Copy link
Author

Thanks for looking into this. Unfortunately it did not work. If it helps, the attacker machine and DC are both Server 2019 1809 and the domain/forest functional level is 2016.

@2XXE-SRA
Copy link
Author

(I cannot reopen since you were the one that closed it)

@HarmJ0y HarmJ0y reopened this Apr 14, 2020
@HarmJ0y
Copy link
Member

HarmJ0y commented Apr 14, 2020

Sorry about that. The fix works for my test environment. The part that was erroring out was the TGS_REQ part that broke the requested sname into the appropriate parts https://github.com/GhostPack/Rubeus/blob/master/Rubeus/lib/krb_structures/TGS_REQ.cs#L67-L95

If you remove the parts.Length == 3 clause and replace the second clause with else if ((parts.Length == 2) || (parts.Length == 3)) does that fix your situation?

@2XXE-SRA
Copy link
Author

If I'm understanding you correctly, I remove lines 83-91 and replace line 75 with your snippet. Doing that did not make a difference.

@2XXE-SRA
Copy link
Author

However, in both cases (original fix and this fix), the error message is different:

[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN
[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN
[X] KRB-ERROR (7) : KDC_ERR_S_PRINCIPAL_UNKNOWN

@2XXE-SRA
Copy link
Author

I turned on Wireshark while running Rubeus and the Kerberos request showed that the SPN being requested was truncated in the CN=users... portion. The issue lies here: https://github.com/GhostPack/Rubeus/blob/master/Rubeus/lib/Roast.cs#L837 where the SPN is split by ",". I did a quick test by removing the split and performing the Ask.TGS against the SPN directly. This worked and I got a hash back that was recoverable to the expected plaintext.

HarmJ0y added a commit that referenced this issue Aug 18, 2020
@HarmJ0y
Fix for issue #43
a44c475 
removed the SPN split on "," to support alternate SPN formats
@HarmJ0y
Copy link
Member

HarmJ0y commented Aug 18, 2020

This should now be fixed in master with a44c475

@HarmJ0y HarmJ0y closed this as completed Aug 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HarmJ0y @2XXE-SRA