You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the top of the below screenshot you can see a successful request for a certificate for the Kerberos account KRBTGT. However, when attempting to authenticate using that certificate in order to get the NT hash of the account, the error "UnboundLocalError: local variable 'tgt' referenced before assignment" occurs.
At the bottom of the screenshot you see the same but for the account Administrator which works.
It would be nice to be able to target the Kerberos account since that is typically less monitored and its password is typically rarely changed.
Thanks!
The text was updated successfully, but these errors were encountered:
First of all, great explanation. I could identify the bug immediately.
I tried requesting a TGT for the KRBTGT account, and Windows won't allow that. Kerberos actually throws an error, but in my error handling, I accidentally forgot to return upon other errors than CLIENT_MISMATCH. So because the TGT request fails for the KRBTGT, the "tgt" variable never gets set, but it doesn't exit either. It should print the error and exit. I'll fix it.
Also, a password change won't affect your certificate. Your certificate will still work for authentication, even if the password is changed. Only when the certificate is revoked or expired will it no longer work. I would simply target a domain administrator, and if you want the KRBTGT account, you could extract the hash from here.
I tested requesting a certificate for the Kerberos account using the original Windows binary executed on a domain-joined Windows 10 machine in the same environment as before and using the same account as before and then it works.
However, I do not want to be forced to use a domain-joined machine that also likely is running AV so I very much prefer your tool.
Yes, it's possible to request the certificate. But when requesting a TGT using the certificate, you'll get an error. It's also possible to request certificates for disabled and non-existing accounts, but it's not possible to get a TGT for these accounts as well.
Your issue is fixed in #ce7ee7cdcbaf12f86d28179bd8a61808498f06cd
Hi,
At the top of the below screenshot you can see a successful request for a certificate for the Kerberos account KRBTGT. However, when attempting to authenticate using that certificate in order to get the NT hash of the account, the error "UnboundLocalError: local variable 'tgt' referenced before assignment" occurs.
At the bottom of the screenshot you see the same but for the account Administrator which works.
It would be nice to be able to target the Kerberos account since that is typically less monitored and its password is typically rarely changed.
Thanks!
The text was updated successfully, but these errors were encountered: