Comments (16)
Hello @braimee and @the-useless-one
The error "KDC_ERR_PADATA_TYPE_NOSUPP" simply means that the KDC is not set up for Kerberos authentication. If this is your own domain and you want to do some more testing, you can log on to a domain controller, open the search, search for "Manager Computer Certificates" (or mmc.exe -> add snap-in "Certificates" -> "For this computer") and then request a new certificate by going to the "Personal" folder. It should appear if you expand the first folder in the listing (can't remember the name). Once you're there, right click on the right pane (probably empty) and request a new certificate. This should any certificate that supports "Server Authentication", most likely "KerberosAuthentication" or "DomainController".
And thank you @the-useless-one for commenting on this. It's correct what you say. From my experience, it seems that you will need the same sort of certificate with Server Authentication for the DC in order to connect via LDAPS, right?
Best regards
Oliver
from certipy.
HOLY SCHNIKES IT WORKED!!!!!
Oh my gosh thank you @the-useless-one and @ly4k so, so much for sharing your great expertise and tooling. I have been on this pentest for weeks, picking at all sorts of things that led to dead ends. I initially thought this whole KDC_ERR_PADATA_TYPE_NOSUPP
was something to do with the cert configuration being protected with defensive measures (according to a colleague), so I went right past it early in the engagement. It was so fun to circle back to the issue, get outstanding support from the two of you, and finally find a path to DA!
Are you both ok with me giving you a shoutout in an upcoming podcast episode?
from certipy.
Sure, thanks!
from certipy.
Hi @braimee,
Yannick here, I'm the author of the last blog post you link to, and of PassTheCert (the corresponding tool). PassTheCert is not specifically about abuse with a Domain Controller cert, though it's the example given in the blog post. With a Domain Admin cert, I think you have the following valid attack paths:
- Use the elevate user attack, to grand DCsync rights to an account you control (and you can authenticate with without a cert). If you don't have any account you know the password of, you can add a computer account in the domain. This should work since Domain Admins can modify the domain object's ACL.
- Use the reset password attack, to reset the password of an account (since you're DA, it should be any account). I think nothing technically stops you from resetting the password of
[email protected]
, so that you can authenticate with a password and not a cert.
Let me know how it goes, and don't hesitate to open an issue in PassTheCert if you encounter any trouble.
Cheers,
Y
from certipy.
Awesome thank you @the-useless-one, I'm going to hold my breath and get remoted back into this environment, get a fresh pfx and try this out. Will report back.
from certipy.
Thanks the @the-useless-one already send me the blog post on how to abuse our blog post presenting PassTheCert:
from certipy.
Hi @ly4k, I'm actually not sure what EKUs must be present in the DC certificate to support Schannel authentication. If you figure it out, please share the knowledge 😉
from certipy.
Wow wow wow! Thanks both of you SO MUCH for your incredibly thorough and helpful replies!
@the-useless-one I'm so excited because I think passthecert.exe is just the tool I need for the job. I can open a thread in your repo instead, but just a quick syntax question for you. I have compromised one account that I control on the target domain (lets call it pwnedacct) and I have that account SID of XXX. I used that account to grabbed the .pfx for domainadmin@victim
. If I'm understanding right, the syntax I can use to give pwnedacct DCSync privs are:
PassTheCert.exe --server FQDN.OF.A.DOMAINCONTROLLER --cert-path domainadmin.pfx --elevate --target "DC=victim,DC=domain" --sid XXX
If that's right, the only part that makes me nervous is the changing of the msDS-nTSecurityDescriptor
. This change only adds me the ability to DCSync, it doesn't take away any permissions or anything like that? I'm sure I'm (hopefully) being overly paranoid, but I've never used the tool before and definitely don't want to break things!
from certipy.
The syntax is correct! The ntSecurityDescriptor
is modified to add the necessary ACLs to grant rights to pwnedacct
, the other rights are preserved. The old value of ntSecurityDescriptor
is also saved to disk, and you can use the --restore
flag to restore the previous value once you've done your DCsync.
from certipy.
@the-useless-one From my testing it seems that any certificate with the Server Authentication EKU. I'm setting up a new environment to test this :)
from certipy.
Quick update - I tried passthecert but got an error. @the-useless-one I'll open an issue in your repo, and circle back to this thread once I know if the attack was successful.
from certipy.
@the-useless-one sorry one more question...I can see when I look at the domain properties in the ADUC tool that my user has specifically been added there with DCSYNC privs. Will just deleting that permission out of the config be the same as restoring the ACL via passthecert?
from certipy.
Glad you figured it out @braimee and yes, you can! :)
from certipy.
@braimee, I just noticed I didn't answer your question. It might be too late, but here goes: in elevate mode, PassTheCert
adds the DS-Replication-Get-Changes
and DS-Replication-Get-Changes-All
rights on the domain object to the target SID. Removing these rights via PassTheCert
or any other tool should yield the same results.
from certipy.
Wonderful thank you so much!
And just FYI @the-useless-one / @ly4k I gave you a shout-out in the latest episode of 7MS here: https://7ms.us/7ms-532-tales-of-pentest-pwnage-part-39/.
Have a great weekend and thank you again for being so generous with your time, tools and expertise.
from certipy.
Hi @ly4k @the-useless-one and @7MinSec ,
I'm currently in a pentest and ran into the same situation where I received the error message "KDC-ERR_PDATA_TYPE-NOSUPP". However, I received a certificate for a domain controller with the ESC8 vulnerability. Normally I would now use the secretsdump tool to carry out a DcSync attack, which is not possible due to the lack of PKINIT. Is there another way I can take over the domain with the DomainController Computer Account permissions? @the-useless-one I already checked the tool PassTheCert, but could not find a usefull command to takeover the domain with der DC computer account permissions or is it a dead end?
from certipy.
Related Issues (20)
- Errors when running v4.7 HOT 6
- Changing LDAP/LDAPS port in find HOT 8
- Domain Computers Can Enroll HOT 1
- Help determining if ESC8 vulnerability is false positive? HOT 5
- KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) [Need Urgent Help] HOT 1
- auth error 1.2.840.10046.2.1 HOT 1
- pip install requires
- KB5014754 - SID Extension Policy Module HOT 1
- How to create a single one-file budled executable for Certipy ? HOT 2
- Template Names can contain / 's in the name, breaking the ability to save to disk
- Golden Certificate - Unsupported Algorithm - SHA1 HOT 1
- No module named 'pkg_resources' HOT 1
- Issues in -add-officer functionality on Windows OS HOT 5
- pip3 install certipy-ad
- Traceback
- Cryptographic API Misuse Vulnerability
- certipy is not working
- Tried to run certipy and security was alerted HOT 4
- Socket ssl wrapping error HOT 2
- Forge Function Fails To Overwrite SIDs Present in Template Certificate
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certipy.