Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix for handling KERB_ERROR's #127

Merged
merged 1 commit into from
Feb 9, 2022
Merged

fix for handling KERB_ERROR's #127

merged 1 commit into from
Feb 9, 2022

Conversation

0xe7
Copy link
Contributor

@0xe7 0xe7 commented Feb 9, 2022

My last PR included handling of e_data within KERB_ERROR's for retrieval of the account salt from PA Data returned when a TGT was requested without preauth. This broke some errors (for instance AP_ERR_MODIFIED) where e_data isn't PA Data sections, as shown below:

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'ldap/idc1.internal.zeroday.lab'
[*] Using domain controller: idc1.internal.zeroday.lab (192.168.71.20)

[!] Unhandled Rubeus exception:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Rubeus.PA_DATA..ctor(AsnElt body)
   at Rubeus.KRB_ERROR..ctor(AsnElt body)
   at Rubeus.Ask.TGS(String userName, String domain, Ticket providedTicket, Byte[] clientKey, KERB_ETYPE paEType, String service, KERB_ETYPE requestEType, String outfile, Boolean ptt, String domainController, Boolean display, Boolean enterprise, Boolean roast, Boolean opsec, KRB_CRED tgs, String targetDomain, String servicekey, String asrepkey, Boolean u2u, String targetUser, Boolean printargs, String proxyUrl)
   at Rubeus.Ask.TGS(KRB_CRED kirbi, String service, KERB_ETYPE requestEType, String outfile, Boolean ptt, String domainController, Boolean display, Boolean enterprise, Boolean roast, Boolean opsec, KRB_CRED tgs, String targetDomain, String servicekey, String asrepkey, Boolean u2u, String targetUser, Boolean printargs, String proxyUrl)
   at Rubeus.Commands.Asktgs.Execute(Dictionary`2 arguments)
   at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)

Fixed by putting a try/catch around decoding the e_data section and setting it to null if it fails:

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building TGS-REQ request for: 'ldap/idc1.internal.zeroday.lab'
[*] Using domain controller: idc1.internal.zeroday.lab (192.168.71.20)

[X] KRB-ERROR (41) : KRB_AP_ERR_MODIFIED

@HarmJ0y HarmJ0y merged commit 493b8c7 into master Feb 9, 2022
@0xe7 0xe7 deleted the kerb-error-fix branch February 10, 2022 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HarmJ0y HarmJ0y HarmJ0y approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@0xe7 @HarmJ0y