Kerberos Auth Not Working

[kirtcathey]

Doesn't seem to work with Kerberos... any help. Looks like it would be an awesome tool otherwise.
Am I missing something? Tried all kinds of cred combinations... CME and NXC authenticates fine.

./linWinPwn.sh -t 10.129.100.130 -d VINTAGE.HTB -u 'P.Rosa' -K '/home/kali/E/PT/HTB/Vintage/linWinPwn_vintage.htb_P.Rosa/Credentials/P.Rosa.ccache' -I tun0 -U domain-users.txt

   _        __        ___       ____                  
  | |(_)_ __\ \      / (_)_ __ |  _ \__      ___ __   
  | || | '_  \ \ /\ / /| | '_ \| |_) \ \ /\ / | '_ \  
  | || | | | |\ V  V / | | | | |  __/ \ V  V /| | | | 
  |_||_|_| |_| \_/\_/  |_|_| |_|_|     \_/\_/ |_| |_| 

  linWinPwn: version 1.0.29 
  https://github.com/lefayjey/linWinPwn
  Author: lefayjey
  Inspired by: S3cur3Th1sSh1t's WinPwn

[+] Tue Dec 3 11:58:24 PM EST 2024

[i] Target domain: vintage.htb
[i] Domain Controller's FQDN: dc01.vintage.htb
[i] Domain Controller's IP: 10.129.100.130
[i] Domain Controller's ports: RPC open, SMB open, LDAP open, LDAPS open, KRB open, RDP filtered|closed, WinRM open
[i] Output folder: /home/kali/E/PT/HTB/Vintage/linWinPwn_vintage.htb_P.Rosa
[i] User wordlist file: domain-users.txt
[i] Password wordlist file: /usr/share/wordlists/rockyou.txt
[i] Attacker's IP: 10.10.16.3
[i] Attacker's Interface: tun0
[i] Current target(s): Domain Controllers
SMB 10.129.100.130 445 10.129.100.130 [-] VINTAGE.HTB\P.Rosa from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN
[-] Error authenticating to domain! Please check your credentials and try again...

[lefayjey]

Hello. Thanks for creating this issue.

It seems to be working for me.

Can you try to show please the content of the command.log file ?
Based on the error SMB 10.129.100.130 445 10.129.100.130 [-] VINTAGE.HTB\P.Rosa from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN, the FQDN of the DC should have been used and not the IP. linWInPwn uses the FQDN with Kerberos, but not in your case though (which is weird).

[kirtcathey]

The target (-t) parameter does not accept anything other than an IP. The error says to input an IP if you send anything else. The domain flag (-d) needs to be the TLB for Kerberos auth to work. HOWEVER, I got it to work with the key generated by the tool itself... and when I was referring to the Kerb key before, there was a soft link in the path. Some code does not handle path soft links well...

[lefayjey]

Yes the target has to be the IP, because of a similar issue I had with Kerberos authentication when you put anything else. The issue could be related to the choice of domain or host when generating the ticket (like dc01 or dc01.vintage.htb in your case).
Can you please share the command used to generate the initial ticket that didn't work?

For the soft link, can you please share the error you're having? The tool uses the full path of the key file like this krb5cc_path=$(realpath "$krb5cc"). Is this causing an issue for you?

[lefayjey]

The only way I could reproduce this error is when you request a TGT using the "short" domain name instead of the full one. And the error would be also in netexec. Is this related to the issue you're facing?

┌──(kali㉿kali)-[/opt/Temp]
└─$ export KRB5CCNAME=khal.drogo.ccache 

┌──(kali㉿kali)-[/opt/Temp]
└─$ getTGT.py essos.local/'khal.drogo':'horse' -dc-ip 192.168.56.12                         

Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in khal.drogo.ccache
                                                                                                                     
┌──(kali㉿kali)-[/opt/Temp]
└─$ netexec smb 192.168.56.12 -u 'khal.drogo' --use-kcache -d essos.local
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.56.12   445    MEEREEN          [+] essos.local\khal.drogo from ccache 
                                                                                                                     
┌──(kali㉿kali)-[/opt/Temp]
└─$ getTGT.py essos/'khal.drogo':'horse' -dc-ip 192.168.56.12                               

Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in khal.drogo.ccache
                                                                                                                     
┌──(kali㉿kali)-[/opt/Temp]
└─$ netexec smb 192.168.56.12 -u 'khal.drogo' --use-kcache -d essos.local
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.56.12   445    MEEREEN          [-] essos.local\khal.drogo from ccache KDC_ERR_PREAUTH_FAILED 
                                                                                                                     
┌──(kali㉿kali)-[/opt/Temp]
└─$ netexec smb 192.168.56.12 -u 'khal.drogo' --use-kcache -d essos
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Datacenter 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.56.12   445    MEEREEN          [-] essos\khal.drogo from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN