impacket icon indicating copy to clipboard operation
impacket copied to clipboard
verified publisher icon fortra

GoldenTicket receive KDC_ERR_TGT_REVOKED

Open Dramelac opened this issue 3 years ago • 0 comments

Configuration

impacket version: Impacket v0.10.1.dev1 Python version: 3.0.2 Target OS: Windows Server

Demo

smbclient.py -k -no-pass 'LAB/[email protected]' -debug
Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket
[+] Using Kerberos Cache: /workspace/tickets/user.ccache
[+] SPN CIFS/[email protected] not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/[email protected]
[+] Using TGT from cache
[+] Trying to connect to KDC at LAB.LOCAL
[+] Server time (UTC): 2022-08-31 16:18:55
Traceback (most recent call last):
  File "/usr/local/bin/smbclient.py", line 100, in main
    smbClient.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip )
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 335, in kerberosLogin
    raise e
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 319, in kerberosLogin
    return self._SMBConnection.kerberosLogin(user, password, domain, lmhash, nthash, aesKey, kdcHost, TGT,
  File "/usr/local/lib/python3.9/dist-packages/impacket/smb3.py", line 682, in kerberosLogin
    tgs, cipher, oldSessionKey, sessionKey = getKerberosTGS(serverName, domain, kdcHost, tgt, cipher, sessionKey)
  File "/usr/local/lib/python3.9/dist-packages/impacket/krb5/kerberosv5.py", line 438, in getKerberosTGS
    r = sendReceive(message, domain, kdcHost)
  File "/usr/local/lib/python3.9/dist-packages/impacket/krb5/kerberosv5.py", line 91, in sendReceive
    raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)
[-] Kerberos SessionError: KDC_ERR_TGT_REVOKED(TGT has been revoked)

After some investigation, on some Windows Server systems, golden tickets are no longer accepted without the presence of the new PAC: 'PAC_ATTRIBUTES_INFO' and/or 'PAC_REQUESTOR'.

This configuration (and therefore this problem) is expected to become common with the progressive deployment of the new KB.

Microsoft related KB : https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 Blog post : https://blog.netwrix.com/2022/01/10/pacrequestorenforcement-and-kerberos-authentication/

Dramelac avatar Sep 01 '22 16:09 Dramelac