NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard

Published 20 hours ago verified publisher icon Pennyw0rth

Inconsistency between --lsa via NTLM and Kerberos

Open Dfte opened this issue 2 years ago • 8 comments

It looks like there is some inconsistency between the result of the --lsa option when connecting via NTLM and Kerberos:

Below is the result when dumping lsa via a NTLM authentication:

image

And here is the result when dumping via Kerberos (-k):

image

The AES and DES keys for the DC$ account are not dumped.

I'll take a look at why ASAP.

Dfte avatar Oct 03 '23 16:10 Dfte

Maybe something is wrong in impacket. 🧐

XiaoliChan avatar Oct 05 '23 09:10 XiaoliChan

The bug is located in secretsdump, function getMachineKerberosSalt(). Using Kerberos, Impacket is not able to obtain the domain FQDN and the computer name which are required to build the salt used to decrypt AESKeys.

The following code patches the bug:

def getMachineKerberosSalt(self):
       """
       Returns Kerberos salt for the current connection if
       we have the correct information
       """
       # Patched by @Defte_ when using Kerberos, the getServerName function returns nothing
       # But we do need the domain FQDN as well as the computer name
       if self.__smbConnection.getServerName() == '':
           # To do we can request the getMachineNameAndDomain() which returns:
           #   - The computer name
           #   - The domain name (not FQDN so we don't need that hence the _)
           # Using the getRemoteHost function we can get the DC FQDN to which we substract the computer name
           # One we have the domain FQDN and the computer name we can compute the Kerberos salt
           host, _ = self.getMachineNameAndDomain()
           domain = self.__smbConnection.getRemoteHost().split(f"{host.lower()}.")[1]
           LOG.debug(f"[Secretsdump][getMachineKerberosSalt] {host}.{domain}")
       else:
           host = self.__smbConnection.getServerName()
           domain = self.__smbConnection.getServerDNSDomainName()
       salt = b'%shost%s.%s' % (domain.upper().encode('utf-8'), host.lower().encode('utf-8'), domain.lower().encode('utf-8'))
       return salt

And now we can obain the AESKeys as well via --lsa -k

image

Leaving this issue open until fix is merged in both fortra/theporgs/our impacket ?

Dfte avatar Oct 06 '23 15:10 Dfte

@Dfte This is a Really nice patch, I think this should be made a PR in fortra's upstream

XiaoliChan avatar Oct 07 '23 08:10 XiaoliChan

I'll PR this in the afternoon yeah!

Dfte avatar Oct 07 '23 12:10 Dfte

PR's done, we'll have to wait for it to be merged :)

https://github.com/fortra/impacket/pull/1628

Dfte avatar Oct 07 '23 12:10 Dfte

Hello @Dfte can you do the same pr on https://github.com/Pennyw0rth/impacket/tree/gkdi ? :)

mpgn avatar Oct 17 '23 15:10 mpgn

Closed as fixed in https://github.com/Pennyw0rth/impacket/pull/3

NeffIsBack avatar Nov 02 '23 09:11 NeffIsBack

Reverted, PR on impacket has not been tested once i think:

  • there is space and tab mix on the PR
  • if you fix the space / tab problem, you have a stacktrace image

mpgn avatar Nov 02 '23 09:11 mpgn