add no-pac exploit attack (s4u2self only) and add service modification feature to examples/getST.py #1260
Conversation
for ticket sname field modification
add s4u2self and alt-service parameter
add s4u2self and alt-service parameter
for ticket sname field modification
for ticket sname field modification
add s4u2self and alt-service parameter
add s4u2self and alt-service parameter
add s4u2self and alt-service parameter
add s4u2self and alt-service parameter
|
I did some further testing with this PR and the way the s4u2proxy is ignored is incorrect and raises a ciphertext integrity failure when saving the ticket. This is because the session keys passed are not correct. The error is raised when doing impersonation ( |
how? it works on my lab environment |
the saveTicket method doesn't care the new session key returned by doS4U method, it will decrypt the tgs anyway |
|
Here's a screenshot on my end |
|
I see, you're not using TGT ticket |
fixed |
|
when using TGT ticket ccache, the oldSessionKey and sessionKey variable will be the same |
|
how can I get in touch with you? @ShutdownRepo |
I'm not on Discord 24/7, please be patient. Answered you now |
|
With its updates I feel like this PR is now completely redundant to #1202 with code just copy-pasted from it |
|
even though I change the lib file, it does no harm, so I reopen this PR and take my stand, we should be able to convert ccache to kirbi and import ticket directly without any other modifications to the ticket generated by getST.py in my opinion, if ticket generated by rubeus or mimikatz can be used by impacket with only a format transformation, then impacket should be able to do the same thing. |
|
You are presenting two different things here. The first one is a feature that allows getST to do S4U2self and work with an The second one, which is interesting however, is a fix of Impacket's lib generating issues either when converting a ticket or when substituting an |
|
If I understand correctly, you're suggesting me close this PR and open a new PR about fromTGS and from_asn1 method modification, right? |
Yes and no. In my opinion, this PR should be closed, and another one should be opened to fix the conversion issue (#1264). |
|
I don't think the issue you've reised is related to this PR |
It's not, it's been uncovered in this PR |
|
Issue #1264 is now fixed in PR #1265. A bug was found in In conclusion
|
since there is no need to change the enc-part of TGS ticket, the from_asn1 method should not be call with altservice parameter
|
during the discussion with @ShutdownRepo, I've noticed that there is no need to change the enc-part in the ccache, what I need is just to change the ticket.sname, with this update, now we only need a little modifications to the lib file ccache.py |
|
unfortunately, even the ticket with only ticket.sname changed works fine in ptt, it won't work with impacket example script such as smbclient. |
|
after a whole night work with @ShutdownRepo, we've merged our ideas to #1202 , so I'll close this PR |
I'm playing with no-pac exploitation recently, the last step is doing a s4u2self request, and we don't need to do s4u2proxy request.
But I found that impacket's getST.py has no support for this, and it doesn't support service modification of the returned TGS ticket.
Even there is a feature called AnySPN in impacket, but it won't work in this special situation
here is the result of smbclient.py before my modification to getST.py
after I made some changes to getST.py, I'm able to get a service ticket with the SPN I specified in the command line
getST.py my.domain/WIN-ER6H1V81DV9 -no-pass -k -dc-ip 192.168.25.177 -impersonate Administrator -alt-service CIFS/WIN-ER6H1V81DV9.my.domain -s4u2self -spn WIN-ER6H1V81DV9 -debugsmbclient.py works just fine