Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed RPC_C_AUTHN_NETLOGON auth error #1868

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

fixed RPC_C_AUTHN_NETLOGON auth error #1868

wants to merge 14 commits into from

Conversation

Ridter
Copy link

@Ridter Ridter commented Jan 8, 2025

In the process of implementing NetSync using Impacket, I discovered an issue in the authentication section of RPC_C_AUTHN_NETLOGON within Impacket. I made modifications to address the problem, and this submission contains the updated code.
Testing details can be found below: netsync.py.

Shown in the following image:

@ThePirateWhoSmellsOfSunflowers
Copy link
Contributor

Hi,
Nice work. I also played recently with netlogon, have you see my PR #1848 ?

🌻

@Ridter
Copy link
Author

Ridter commented Jan 8, 2025

Hi, Nice work. I also played recently with netlogon, have you see my PR #1848 ?

🌻

I just saw your PR, nice job!

@anadrianmanrique anadrianmanrique self-assigned this Jan 16, 2025
@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Jan 16, 2025
@anadrianmanrique
Copy link
Contributor

hello @Ridter . I'm testing your changes with your netsync project. I wasn't able to execute it successfully in the context of this PR. I made a little modification in order to be able to perform AES authentication.

└─$` python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[-] can't concat str to bytes

This issue was addressed in the context of #1848. In the context of that PR the test executed successfully

└─$ python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for COMPUTEST$ using credentials for DC25$
[-] No such user: COMPUTEST$ with channel: ServerSecureChannel
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 6135372a478be0905a376bf327cddb8b

@Ridter I'm trying to figure out which scenario triggers the issue that it's being fixed with this PR. Can you help me with that?
Also, #1848 since it's already ready to be merged, changes in this PR will have to be rebased.
Thanks

@anadrianmanrique anadrianmanrique added the waiting for response Further information is needed from people who opened the issue or pull request label Feb 20, 2025
@Ridter
Copy link
Author

Ridter commented Feb 25, 2025
edited
Loading

hello @Ridter . I'm testing your changes with your netsync project. I wasn't able to execute it successfully in the context of this PR. I made a little modification in order to be able to perform AES authentication.

└─$` python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[-] can't concat str to bytes

This issue was addressed in the context of #1848. In the context of that PR the test executed successfully

└─$ python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for COMPUTEST$ using credentials for DC25$
[-] No such user: COMPUTEST$ with channel: ServerSecureChannel
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 6135372a478be0905a376bf327cddb8b

@Ridter I'm trying to figure out which scenario triggers the issue that it's being fixed with this PR. Can you help me with that? Also, #1848 since it's already ready to be merged, changes in this PR will have to be rebased. Thanks

Hi, @anadrianmanrique . The previous code only implemented netsync through strong key. Now, based on PR #1848, I have added support for AES. The current code is fully functional and ready to use.

Using AESKey authentication
Clipboard_Screenshot_1740537162

Using StrongKey authentication

Clipboard_Screenshot_1740537206

@ThePirateWhoSmellsOfSunflowers
Copy link
Contributor

Hello,

I think you should reopen a PR with only netsync.py because the script currently works without any library modifications.

🌻

@Ridter
Copy link
Author

Ridter commented Feb 25, 2025

Hello,

I think you should reopen a PR with only netsync.py because the script currently works without any library modifications.

🌻

@ThePirateWhoSmellsOfSunflowers Hi. To run netsync.py, you need to modify getSSPType1 in rpcrt.py, otherwise, it will fail to execute. If you need me to submit a separate PR, I can roll back the current commit and submit a separate PR.

@anadrianmanrique
Copy link
Contributor

Hello @Ridter, thanks for clarification about strong key. Regarding the latest changes I think netsync.py should be removed from this PR, as it is not part of the scope of the original.
As @ThePirateWhoSmellsOfSunflowers mentioned, if you want us to evaluate netsync.py to integrate as a new example, you should create a new PR to review it in that context. Considering that netsync https://github.com/Ridter/netsync/ it's already its own project I wouldn't encourage you to do that though.
Thanks

@ThePirateWhoSmellsOfSunflowers
Copy link
Contributor

@ThePirateWhoSmellsOfSunflowers Hi. To run netsync.py, you need to modify getSSPType1 in rpcrt.py, otherwise, it will fail to execute. If you need me to submit a separate PR, I can roll back the current commit and submit a separate PR.

@Ridter The script works without modifying rpcrt.py on my box

$ python netsync.py -a 'KINGSLANDING$' -hashes :1b67a814138bd1bf2d15e362935b271c sevenkingdoms.local/'KINGSLANDING$'@kingslanding.sevenkingdoms.local

  _   _      _   ____                   
 | \ | | ___| |_/ ___| _   _ _ __   ___ 
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__ 
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/            

[*] HostName: kingslanding.sevenkingdoms.local -> Resolved: 192.168.56.10
[*] Using domain controller: kingslanding.sevenkingdoms.local for domain sevenkingdoms.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for KINGSLANDING$ using credentials for KINGSLANDING$
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 1b67a814138bd1bf2d15e362935b271c

@anadrianmanrique
Copy link
Contributor

@Ridter also, your branch should be rebased : git rebase master

@Ridter Ridter force-pushed the fixed_netlogon_auth_error branch from 1c07279 to b200cf3 Compare February 26, 2025 01:57
@Ridter Ridter force-pushed the fixed_netlogon_auth_error branch from 1b49c25 to d14ca4c Compare February 26, 2025 02:10
jborean93 and others added 12 commits February 26, 2025 10:17
@jborean93 @Ridter
Fix SMB2 compoud response signing (fortra#1834)
5c82585 
* Fix SMB2 compoud response signing

Fix the signing the logic when responding with an SMB2 compount
response. The signature will include the padding of each compound
element and include the next offset value before signing the data.

* Pad all SMB2 packets, even the last in a compound response
@d0gkiller87 @Ridter
Fix directory traversal for smbComDeleteDirectory() (fortra#1864)
c569df2
@exploide @Ridter
changepasswd.py: improved error handling (fortra#1865)
a652074
@NeffIsBack @Ridter
Include version string vor win build 26100 (fortra#1874)
fc8756d
@rtpt-alexanderneumann @Ridter
ntlmrelayx: support upn format + oem encoding (fortra#1833)
2e6739f 
Co-authored-by: Lucas Vater <lucas.vater@redteam-pentesting.de>
@rtpt-romankarwacik @alexisbalbachan @Ridter
Fix file length not matching file name because of multi-byte UTF-16 (f…
6394d6e 
…ortra#1859)

* Fix file length not matching file name because of multi-byte UTF-16

* Apply suggestions from code review

Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>

---------

Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>
@NtAlexio2 @Ridter
add more requests to even6 protocol (fortra#1798)
b6c524d 
* add EvtRpcRegisterControllableOperation and EvtRpcClearLog to even6 protocol

* add EvtRpcExportLog request to even6

* add tests for even6 EvtRpcClearLog and EvtRpcExportLog requests

* minor changes in even6
@gjhami @Ridter
Fix SOCKS Target Parsing (fortra#1843)
365ce50 
* Update socksserver.py

Fixes fortra#1575 by parsing the target hostname correctly from commands run through ntlmrelayx's socks5 proxy.

* Update socksserver.py

Fix hostname parsing
@laxaa @laxa @Ridter
Use logging.info to handle -ts switch properly (fortra#1884)
c33cdc1 
Co-authored-by: laxa <laxa@ddracepro.net>
@Narmjep @Ridter
small grammar fix (fortra#1896)
2f77bd9
@ThePirateWhoSmellsOfSunflowers @Ridter
Fix netlogon implementation (fortra#1848)
4ca110a 
* fix netlogon implementation

* add AES option when netlogon is used as SSP
@NeffIsBack @Ridter
Remove random print (fortra#1897)
cd332a7
@Ridter
Copy link
Author

Ridter commented Feb 26, 2025

@Ridter also, your branch should be rebased : git rebase master

Done,😊

@Ridter
Copy link
Author

Ridter commented Feb 26, 2025

@ThePirateWhoSmellsOfSunflowers Hi. To run netsync.py, you need to modify getSSPType1 in rpcrt.py, otherwise, it will fail to execute. If you need me to submit a separate PR, I can roll back the current commit and submit a separate PR.

@Ridter The script works without modifying rpcrt.py on my box

$ python netsync.py -a 'KINGSLANDING$' -hashes :1b67a814138bd1bf2d15e362935b271c sevenkingdoms.local/'KINGSLANDING$'@kingslanding.sevenkingdoms.local

  _   _      _   ____                   
 | \ | | ___| |_/ ___| _   _ _ __   ___ 
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__ 
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/            

[*] HostName: kingslanding.sevenkingdoms.local -> Resolved: 192.168.56.10
[*] Using domain controller: kingslanding.sevenkingdoms.local for domain sevenkingdoms.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for KINGSLANDING$ using credentials for KINGSLANDING$
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 1b67a814138bd1bf2d15e362935b271c

Hi,@ThePirateWhoSmellsOfSunflowers, when I usenetsync.py with the latest code from the master branch, the following error occurs."
Clipboard_Screenshot_1740536980

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@anadrianmanrique anadrianmanrique

Labels
in review This issue or pull request is being analyzed waiting for response Further information is needed from people who opened the issue or pull request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.