PKINITtools icon indicating copy to clipboard operation
PKINITtools copied to clipboard

Published 20 hours ago verified publisher icon dirkjanm

Short octet stream on tag decoding

Open helloyw opened this issue 1 year ago • 2 comments
trafficstars

The pfx I obtained using adcs esc8

proxychains4 python3 getnthash.py -key 2797e04fc0a00ce9277ff8ebcf276fe0f660158bc970d560c988a2007180a216 redteam/DC$ -dc-ip 192.168.1.1 -debug
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20240130.154745.97007e84-py3.11.egg/impacket
[+] Using Kerberos Cache: dc.ccache
[+] SPN KRBTGT/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] No valid credentials found in cache. 
Traceback (most recent call last):
  File "/home/kali/Desktop/PKINITtools/getnthash.py", line 273, in <module>
    dumper.dump()
  File "/home/kali/Desktop/PKINITtools/getnthash.py", line 121, in dump
    decodedTGT = decoder.decode(tgt, asn1Spec = AS_REP())[0]
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pyasn1/codec/ber/decoder.py", line 1337, in __call__
    raise error.SubstrateUnderrunError(
pyasn1.error.SubstrateUnderrunError: Short octet stream on tag decoding
[-] Short octet stream on tag decoding

helloyw avatar May 14 '24 08:05 helloyw

i think this error occurs because it cannot find the credentials in the ccache file, and then it runs into a parsing error later on. Make sure you have the naming correct for the principal you are trying to target (escaping or quoting special characters etc)

dirkjanm avatar May 14 '24 15:05 dirkjanm

i think this error occurs because it cannot find the credentials in the ccache file, and then it runs into a parsing error later on. Make sure you have the naming correct for the principal you are trying to target (escaping or quoting special characters etc)

There is no problem with the subject. You can use the certipy auth - f 1. pfx method to obtain the hash

helloyw avatar May 15 '24 02:05 helloyw

As expected it failed to load the TGT from the supplied ccache file. in the latest version it will now exit the script if that happens rather than triggering a weird failure later on

dirkjanm avatar Jan 02 '25 11:01 dirkjanm