impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

net.py can't create a new user when utilizing it through a session from ntlmrelayx

Open enj5oy opened this issue 1 year ago • 5 comments

Configuration

impacket version: v0.12.0.dev1+20230817.32422.a769683f Python version: 3.10 Target OS: Windows Server 2016 2024-01-10_21-26

After this command user created with hash 31d6cfe0d16ae931b73c59d7e0c089c0 and user is disabled

enj5oy avatar Jan 10 '24 18:01 enj5oy

Please paste debug output as explained in issue template.

NtAlexio2 avatar Jan 12 '24 15:01 NtAlexio2

@NtAlexio2 issue

enj5oy avatar Jan 13 '24 05:01 enj5oy

unfortunately I couldn't simulate your situation but the bug is about session_key in (line 2973 in samr.py). By default this key is set while authenticating. I'm not sure how did you get session from ntlmrelayx. could you explain more about your session? I just tested with -k in combination with getTGT.py and it worked without any problem:

┌──(kali㉿kali)-[~/Downloads/impacket-master]
└─$ proxychains python examples/net.py -dc-ip 192.168.8.1 -k -no-pass contoso.local/[email protected] user -create newAdmin -newPasswd Passw0rd
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  192.168.8.12:1080  ...  contoso.local:445   ...  OK
[proxychains] Strict chain  ...  192.168.8.12:1080  ...  192.168.8.1:88      ...  OK
[*] Creating user account 'newAdmin'
[+] user account created succesfully: newAdmin:Passw0rd

NtAlexio2 avatar Jan 14 '24 16:01 NtAlexio2

@NtAlexio2 I start ntlmrelayx 2024-01-16_07-32 Then i coerce authentication from domain admin to attacker host 2024-01-16_07-29 Then i run net.py through proxychains

enj5oy avatar Jan 16 '24 04:01 enj5oy

Hey,

I was able to replay the issue in my environment. Haven't made much progress yet finding a solution but writing down what I've been checking

Test 1 Trying user account creation with net.py both "using Kerberos authentication" and "directly passing credentials as a command parameter". Both worked fine, user is created ok and no exceptions are shown

Test 2 Triggered ntlmrelayx with -socks. Coerced connection to relay from a workstation Launch net.py with proxychains to create a user. Boom!

Error is in session_key as stated by @NtAlexio2 in a previous comment. When creating a user, that property is used (and needs to not be empty as it's being manipulated - splitted - in the process)

When launching net.py with a relayed connection, session_key is empty. When launching net.py with other auth methods, it is not empty. This is why Test 1 is working fine.

Checked other examples and are performing the same as net.py session_key is empty when relayed and not-empty when not relayed. But they are not doing anything with it, that's why those examples do not fail.

Still have not found why it's not the same or if that property is being manipulated in any of those scenarios and causing this misbehavior

gabrielg5 avatar Feb 23 '24 18:02 gabrielg5