Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetUserSpns.py fails when using -k option and NTLM auth is disabled #1206

Closed
VbScrub opened this issue Nov 4, 2021 · 12 comments · Fixed by #1363
Closed

GetUserSpns.py fails when using -k option and NTLM auth is disabled #1206

VbScrub opened this issue Nov 4, 2021 · 12 comments · Fixed by #1363
Labels
bug Unexpected problem or unintended behavior

Comments

@VbScrub
Copy link

VbScrub commented Nov 4, 2021

Configuration

impacket version: 0.9.24
Python version: 2.7.18
Target OS: Windows 10

getuserspns.py -debug -k test.local/testuser:testpwd
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[+] Impacket Library Installation Path: c:\python27\lib\site-packages\impacket
Traceback (most recent call last):
  File "C:\Python27\Scripts\GetUserSPNs.py", line 510, in <module>
    executer.run()
  File "C:\Python27\Scripts\GetUserSPNs.py", line 260, in run
    target = self.getMachineName()
  File "C:\Python27\Scripts\GetUserSPNs.py", line 116, in getMachineName
    raise 'Error while anonymous logging into %s'
TypeError: exceptions must be old-style classes or derived from BaseException, not str
[-] exceptions must be old-style classes or derived from BaseException, not str

Additional context

The target domain has NTLM auth disabled so I used the -k option but it fails with the above error
@VbScrub
Copy link
Author

VbScrub commented Nov 4, 2021
edited

A quick hacky workaround for anyone else encountering this:

  1. Use the -dc-ip option but specify the fully qualified domain name of a DC rather than the IP
  2. Change line 260 in GetUsersPNs.py to say this:
    target = self.__kdcHost
    instead of this:
    target = self.getMachineName()

Example usage:
getuserspns.py mydomain.local/testuser:testpassword -k -dc-ip dc1.mydomain.local

This does mean that you'll always need to specify a DC (and use the FQDN instead of IP) if you use the -k option

here's the rest of the code around that area in case line numbers change in future:

def run(self):
        if self.__usersFile:
            self.request_users_file_TGSs()
            return

        if self.__doKerberos:
           target = self.__kdcHost
           #target = self.getMachineName()  <-- old line 260 code that we're no longer running
        else:
            if self.__kdcHost is not None and self.__targetDomain == self.__domain:
                target = self.__kdcHost
            else:
                target = self.__targetDomain

Also if you're on windows and not sure where the file is, its here for me: C:\Python27\Scripts\GetUserSPNs.py

@VbScrub VbScrub changed the title GetUserSpns.py fails when using -k option GetUserSpns.py fails when using -k option and NTLM auth is disabled Nov 4, 2021
@0xdeaddood 0xdeaddood added the in review This issue or pull request is being analyzed label Nov 19, 2021
@0xdeaddood
Copy link
Collaborator

Hi @VbScrub!

Thanks for the report. I was able to reproduce this issue. I'm working on a solution that includes adding the parameter -dc-host (used in several examples of the library and detailed in this PR)

@0xdeaddood 0xdeaddood added bug Unexpected problem or unintended behavior and removed in review This issue or pull request is being analyzed labels Dec 10, 2021
@VbScrub
Copy link
Author

VbScrub commented Dec 10, 2021

Thanks for looking into it 👍

The dc-ip parameter works perfectly fine when you use it to specify a hostname instead of an IP, so I'm not sure I'd agree with requiring a separate dc-host parameter. But I guess you need some way of knowing the user specified a hostname that you can use for kebreros and not an IP.

@0xdeaddood 0xdeaddood mentioned this issue Jun 14, 2022
Closed
@pich4ya
Copy link

pich4ya commented Jun 18, 2022

Who else is here for HTB Scrambled?

@VbScrub
Copy link
Author

VbScrub commented Jun 18, 2022

Who else is here for HTB Scrambled?

😄 I really hoped it would have been fixed in the 8 months since I made the machine

@devx00
Copy link

devx00 commented Jun 18, 2022

Who else is here for HTB Scrambled?

😄 I really hoped it would have been fixed in the 8 months since I made the machine

It works for me if I request the ticket first with getTGT.py instead. Then you can also use that ticket with other impacket scripts.

@VbScrub Dont you think its time to update?

Python version: 2.7.18

Nice box btw, giving me a good run for my money.

@0xdeaddood 0xdeaddood mentioned this issue Jun 29, 2022
Merged
@0xdeaddood
Copy link
Collaborator

Hi everybody!

I created this PR #1363 that should address the issue. Please let me know if it works.

@vs45sharma
Copy link

I can't get userSPN and the anyone know what wrong?
image

@kashmir54
Copy link

Hello @vs45sharma , I had the same issue you are showing here. I solved it by updating the GetUserSPNs.py generated in this PR and using the option -dc-host option instead of the -dc-ip that you are currently using.

@0xdeaddood the PR is working like a charm. Thanks for the effort!

@vs45sharma
Copy link

Hello @vs45sharma , I had the same issue you are showing here. I solved it by updating the GetUserSPNs.py generated in this PR and using the option -dc-host option instead of the -dc-ip that you are currently using.

@0xdeaddood the PR is working like a charm. Thanks for the effort!

Capture

It's not working?

@javivifa
Copy link

javivifa commented Oct 1, 2022

Hi @vs45sharma

What I did is get TGT first
python3 getTGT.py scrm.local/ksimpson:ksimpson -dc-ip scrambled.htb
Then
python3 GetUserSPNs.py scrm.local/ksimpson -k -no-pass -dc-host dc1.scrm.local -request

And works perfect for me.

@vs45sharma
Copy link

I got TDT but in second step it give me error every time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added dc-host option to some example scripts fortra/impacket
7 participants
@pich4ya @devx00 @javivifa @VbScrub @0xdeaddood @kashmir54 @vs45sharma