Exception: Unpacked data doesn't match constant value

[Reelix]

Configuration

impacket version: v0.10.1.dev1+20220606.123812.ac35841f
Python version: 3.8.9
Target OS: Windows 10 21H2

Debug Output With Command String

python GetNPUsers.py -debug redacted.net/ -dc-ip x.x.x.x. -request
Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation

[+] Impacket Library Installation Path: C:\Users\Reelix\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket
[+] Connecting to x.x.x.x, port 389, SSL False
[+] Exception:
Traceback (most recent call last):
  File "GetNPUsers.py", line 429, in <module>
    executer.run()
  File "GetNPUsers.py", line 228, in run
    ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
  File "C:\Users\Reelix\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\ldap\ldap.py", line 304, in login
    type3, exportedSessionKey = getNTLMSSPType3(negotiate, bytes(type2), user, password, domain, lmhash, nthash)
  File "C:\Users\Reelix\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\ntlm.py", line 621, in getNTLMSSPType3
    ntlmChallenge = NTLMAuthChallenge(type2)
  File "C:\Users\Reelix\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\structure.py", line 87, in __init__
    self.fromString(data)
  File "C:\Users\Reelix\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\ntlm.py", line 379, in fromString
    Structure.fromString(self,data)
  File "C:\Users\Reelix\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\structure.py", line 152, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
  File "C:\Users\Reelix\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\structure.py", line 315, in unpack
    raise Exception("Unpacked data doesn't match constant value '%r' should be '%r'" % (data, answer))
Exception: ("Unpacked data doesn't match constant value 'b''' should be ''NTLMSSP\\x00''", 'When unpacking field \' | "NTLMSSP\x00 | b\'\'[:8]\'')
[-] ("Unpacked data doesn't match constant value 'b''' should be ''NTLMSSP\\x00''", 'When unpacking field \' | "NTLMSSP\x00 | b\'\'[:8]\'')

Additional context

Note: Domain and IP have been redacted.

Some versioning information from nmap (With some info redacted)

nmap x.x.x.x -p389 -sC -sV
Starting Nmap 7.92 ( https://nmap.org ) at {Redacted}
Nmap scan report for x.x.x.x
Host is up (0.24s latency).

PORT    STATE SERVICE VERSION
389/tcp open  ldap
| fingerprint-strings:
|   LDAPBindReq:
|     %Currently, only LDAP V3 is supported.
|   LDAPSearchReq:
|     cn=DSE Root0
|     vmwMaximumDomainFunctionalLevel1
|     objectClass1
|     vmwDseRoot0
|     Root0
|     supportedLDAPVersion1
|     supportedControl1~
|     1.3.6.1.4.1.4203.1.9.1.1
|     1.3.6.1.4.1.4203.1.9.1.2
|     1.3.6.1.4.1.4203.1.9.1.3
|     1.2.840.113556.1.4.417
|     1.2.840.113556.1.4.3190
|     vmwServerVersion1
|     1.00'
|     supportedSASLMechanisms1
|     GSSAPI SRP0
|     uSNCreated1
|     1060
|     entryDN1
|     cn=DSE Root0&
|     createTimeStamp1
|     20180108124957.0Z04
|     objectGUID1&
|     $bf53ea76-d597-4d4a-9d1e-66f1389730010
|     msDS-SiteName1
|     Redacted
|     deletedObjectsContainer1(
|     &cn=Deleted Objects,dc=Redacted,dc=Redacted
|     vmwDCAccountUPN1
|     Redacted.Redacted.net@Redacted.LOCAL0P
|     vmwDCAccountDN1>
|     <cn=Redacted.Redacted.net,ou=Domain Controllers,dc=Redacted,dc=local0E
|     vmwAdministratorDN1/
|     -cn=Administrator,cn=Users,dc=Redacted,dc=local0b
|     serverName1T
|_    Rcn=Redacted.pci.net,cn=Servers,cn=Redacted,cn=Sites,cn=Configuration,dc=Redacted,dc=

[skidrow88]

I've got the same error with a Windows 2016 version

[0xdeaddood]

Hi @Reelix and @skidrow88!

This error means that the target domain has NTLM authentication disabled. You have to use Kerberos authentication instead.

Currently, there is an issue in some example scripts when you need to use the -k option and NTLM auth is disabled. So, as a workaround, you can use this trick or test this PR.

Closing. Reopen if you need further help.

[skidrow88]

For my case, there is nothing to do with the authentication protocol since the NTDS has been parsed in local:

secretsdump.py -system SYSTEM -security SECURITY -ntds NTDS.dit LOCAL

and the error was similar:

File "/usr/src/app/ntdsxtract/extract_engine/ntds_common.py", line 141, in getBootKey
  winreg = winregistry.Registry(self.__systemHive, False)
File "/usr/local/lib/python3.7/site-packages/impacket/winregistry.py", line 170, in __init__
  self.__regf = REG_REGF(data)
File "/usr/local/lib/python3.7/site-packages/impacket/structure.py", line 87, in __init__
  self.fromString(data)
File "/usr/local/lib/python3.7/site-packages/impacket/structure.py", line 152, in fromString
  self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
File "/usr/local/lib/python3.7/site-packages/impacket/structure.py", line 315, in unpack
  raise Exception("Unpacked data doesn't match constant value '%r' should be '%r'" % (data, answer))

[skidrow88]

I open an issue about this : #1345