Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"UnboundLocalError: local variable 'tgt' referenced before assignment" error when requesting a TGT for the Kerberos account KRBTGT #3

Closed
jsdhasfeds opened this issue Oct 12, 2021 · 4 comments
Closed

"UnboundLocalError: local variable 'tgt' referenced before assignment" error when requesting a TGT for the Kerberos account KRBTGT #3

jsdhasfeds opened this issue Oct 12, 2021 · 4 comments
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@jsdhasfeds
Copy link

Hi,

At the top of the below screenshot you can see a successful request for a certificate for the Kerberos account KRBTGT. However, when attempting to authenticate using that certificate in order to get the NT hash of the account, the error "UnboundLocalError: local variable 'tgt' referenced before assignment" occurs.

At the bottom of the screenshot you see the same but for the account Administrator which works.

It would be nice to be able to target the Kerberos account since that is typically less monitored and its password is typically rarely changed.

Thanks!

image
@ly4k
Copy link
Owner

ly4k commented Oct 13, 2021

First of all, great explanation. I could identify the bug immediately.

I tried requesting a TGT for the KRBTGT account, and Windows won't allow that. Kerberos actually throws an error, but in my error handling, I accidentally forgot to return upon other errors than CLIENT_MISMATCH. So because the TGT request fails for the KRBTGT, the "tgt" variable never gets set, but it doesn't exit either. It should print the error and exit. I'll fix it.

Thank you!

@ly4k
Copy link
Owner

ly4k commented Oct 13, 2021

Also, a password change won't affect your certificate. Your certificate will still work for authentication, even if the password is changed. Only when the certificate is revoked or expired will it no longer work. I would simply target a domain administrator, and if you want the KRBTGT account, you could extract the hash from here.

@jsdhasfeds
Copy link
Author

jsdhasfeds commented Oct 14, 2021
edited
Loading

No problem. I have many plans for your tool! :)

I tested requesting a certificate for the Kerberos account using the original Windows binary executed on a domain-joined Windows 10 machine in the same environment as before and using the same account as before and then it works.

However, I do not want to be forced to use a domain-joined machine that also likely is running AV so I very much prefer your tool.

image

@ly4k
Copy link
Owner

ly4k commented Oct 14, 2021

Yes, it's possible to request the certificate. But when requesting a TGT using the certificate, you'll get an error. It's also possible to request certificates for disabled and non-existing accounts, but it's not possible to get a TGT for these accounts as well.

Your issue is fixed in #ce7ee7cdcbaf12f86d28179bd8a61808498f06cd

@ly4k ly4k closed this as completed Oct 14, 2021
@ly4k ly4k added bug Something isn't working good first issue Good for newcomers labels Oct 14, 2021
@rick-engle rick-engle mentioned this issue Aug 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ly4k @jsdhasfeds