Hello,
I'm trying to play with #4879 and Windows Server 2025 but it fails with an error:
from scapy.libs.rfc3961 import Key, EncryptionType
from scapy.layers.msrpce.msnrpc import NetlogonClient, NETLOGON_SECURE_CHANNEL_METHOD, NETLOGON_SECURE_CHANNEL_TYPE
from scapy.layers.kerberos import KerberosSSP
DC_FQDN="tatooine.essos.local"
SPN="netlogon/" + DC_FQDN
UPN="BRAAVOS$@ESSOS.LOCAL"
# Placeholder (not the real password), never used?
PASSWORD=bytes.fromhex("1337")
# Real authenticator
KEY = Key(EncryptionType.AES256_CTS_HMAC_SHA1_96, key=bytes.fromhex("724876475bb39bf52f8ced1f98e7d52a6573bad4c43b6fbb22774f245b5b5a8a"),)
cli = NetlogonClient()
cli.connect("tatooine.essos.local")
ssp = KerberosSSP(UPN=UPN, SPN=SPN, PASSWORD=PASSWORD, KEY=KEY, DC_IP="192.168.56.8")
cli.establish_secure_channel(UPN="BRAAVOS$@ESSOS.LOCAL",KEY=KEY,DC_FQDN="tatooine.essos.local", mode=NETLOGON_SECURE_CHANNEL_METHOD.NetrServerAuthenticateKerberos, ssp=ssp)I'm getting an authentication fail:
$ python test.py
┃ Connecting to tatooine.essos.local on port 135 via <DCERPC_Transport.NCACN_IP_TCP: 7>...
└ Connected from ('192.168.56.6', 34146)
>> DceRpc5Bind on <DCE/RPC Interface ept v3.0>
<< DceRpc5BindAck port '135' using NDR32
>> REQUEST: ept_map_Request
<< RESPONSE: ept_map_Response
X Connection closed
┃ Connecting to tatooine.essos.local on port 53409 via <DCERPC_Transport.NCACN_IP_TCP: 7>...
└ Connected from ('192.168.56.6', 39058)
>> DceRpc5Bind on <DCE/RPC Interface logon v1.0> (with KerberosSSP)
<< DceRpc5AlterContextResp port '' using NDR64
>> REQUEST: NetrServerAuthenticateKerberos_Request
<< FAULT
! ERROR_ACCESS_DENIED
###[ DCE/RPC v5 ]###
rpc_vers = 5 (connection-oriented)
rpc_vers_minor= 0
ptype = fault
pfc_flags = PFC_FIRST_FRAG+PFC_LAST_FRAG
endian = little
encoding = ASCII
float = IEEE
reserved1 = 0
reserved2 = 0
frag_len = 32
auth_len = 0
call_id = 1
vt_trailer= None
###[ DCE/RPC v5 - Fault ]###
alloc_hint= 32
cont_id = 1
cancel_count= 0
reserved =
status = 5
reserved2 = 0
Traceback (most recent call last):
File "/home/xxx/tools/scapy/test.py", line 19, in <module>
cli.establish_secure_channel(UPN="BRAAVOS$@ESSOS.LOCAL",KEY=KEY,DC_FQDN="tatooine.essos.local", mode=NETLOGON_SECURE_CHANNEL_METHOD.NetrServerAuthenticateKerberos, ssp=ssp)
File "/home/xxx/tools/scapy/scapy/layers/msrpce/msnrpc.py", line 882, in establish_secure_channel
raise ValueError("NetrServerAuthenticateKerberos failed !")
ValueError: NetrServerAuthenticateKerberos failed !
According to Wireshark, the error is raised after calling the NetrServerAuthenticateKerberos function (Kerberos workflow seems ok).
However, the same code works with NetrServerAuthenticate3.
$ python test.py
┃ Connecting to tatooine.essos.local on port 135 via <DCERPC_Transport.NCACN_IP_TCP: 7>...
└ Connected from ('192.168.56.6', 43708)
>> DceRpc5Bind on <DCE/RPC Interface ept v3.0>
<< DceRpc5BindAck port '135' using NDR32
>> REQUEST: ept_map_Request
<< RESPONSE: ept_map_Response
X Connection closed
┃ Connecting to tatooine.essos.local on port 53409 via <DCERPC_Transport.NCACN_IP_TCP: 7>...
└ Connected from ('192.168.56.6', 39194)
>> DceRpc5Bind on <DCE/RPC Interface logon v1.0>
<< DceRpc5BindAck port '53409' using NDR64
>> REQUEST: NetrServerReqChallenge_Request
<< RESPONSE: NetrServerReqChallenge_Response
>> REQUEST: NetrServerAuthenticate3_Request
<< RESPONSE: NetrServerAuthenticate3_Response
>> DceRpc5AlterContext on <DCE/RPC Interface logon v1.0> (with NetlogonSSP)
<< DceRpc5AlterContextResp port '' using NDR64Am I missing something ?
Hello,
I'm trying to play with #4879 and Windows Server 2025 but it fails with an error:
I'm getting an authentication fail:
According to Wireshark, the error is raised after calling the
NetrServerAuthenticateKerberosfunction (Kerberos workflow seems ok).However, the same code works with
NetrServerAuthenticate3.Am I missing something ?