Password spray attempt increase badPwd counter by 2

[nxferns]

Hi,

When using this tool I noticed that the badPwdCount counter increases by 2 on each password spray attempt against a user. Could you please confirm if this is a bug?

I've attached a screenshot which compares the results to cme.

[bmilliron67]

I can confirm this. I have a very unhappy client who got a lot of locked out accounts because of this. I did a packet capture that shows 2 AS-REQs for 1 test account per run of the tool. I made 2 captures 1 for a good password and 1 for a bad password. Both show 2 AS-REQs. Again there is only one account being tested here.

[Alcqua]

The issue is within the function ASExchange from library gokrb5. The function SendToKDC is called twice, because first, it tries to authenticate with AES128 then with AES256 encryption algorithm.

If you want a quick and dirty workaround, comment out the lines starting from 43 to 53.