PKINITtools icon indicating copy to clipboard operation
PKINITtools copied to clipboard

Published 20 hours ago verified publisher icon dirkjanm

KDC has no support for PADATA type (pre-authentication data)

Open sharp-shooter opened this issue 4 years ago • 4 comments
trafficstars

when I gettgt from a certificate ,I get error show below: python3 gettgtpkinit.py -cert-pfx ../temp/PetitPotam/host1.pfx -dc-ip 10.0.0.0.1 domain/test$ test.ccache -v 1 ⨯ 2021-07-30 04:59:22,388 minikerberos INFO Loading certificate and key from file 2021-07-30 04:59:22,507 minikerberos INFO Requesting TGT Traceback (most recent call last): File "/home/kali/PKINITtools/gettgtpkinit.py", line 349, in main() File "/home/kali/PKINITtools/gettgtpkinit.py", line 345, in main amain(args) File "/home/kali/PKINITtools/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.14-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv minikerberos.protocol.errors.KerberosError: Error Code: 16 Reason: KDC has no support for PADATA type (pre-authentication data)

sharp-shooter avatar Jul 30 '21 09:07 sharp-shooter

Does Rubeus give you the same error? This would indicate that the CA setup of the domain is not complete and the Kerberos service does not (yet) accept PKI based preauthentication.

dirkjanm avatar Jul 30 '21 10:07 dirkjanm

Yes ,so how to resolve the issue, does this attack works?

sharp-shooter avatar Jul 30 '21 15:07 sharp-shooter

Hi. Try this "https://support.citrix.com/article/CTX218941". I got the same error and managed to solve it by removing an old certificate issued by a CA that no longer exists then issueing a new certificate using the new CA.

jsdhasfeds avatar Sep 16 '21 14:09 jsdhasfeds

I share this in case someone has the same issue (KDC_ERR_PADATA_TYPE_NOSUPP) and is looking for solutions: https://github.com/AlmondOffSec/PassTheCert

jarilaos avatar Aug 03 '22 15:08 jarilaos