fixed RPC_C_AUTHN_NETLOGON auth error by Ridter · Pull Request #1868 · fortra/impacket

Ridter · 2025-01-08T09:54:54Z

In the process of implementing NetSync using Impacket, I discovered an issue in the authentication section of RPC_C_AUTHN_NETLOGON within Impacket. I made modifications to address the problem, and this submission contains the updated code.
Testing details can be found below: netsync.py.

Shown in the following image:

ThePirateWhoSmellsOfSunflowers · 2025-01-08T10:12:59Z

Hi,
Nice work. I also played recently with netlogon, have you see my PR #1848 ?

🌻

Ridter · 2025-01-08T10:54:07Z

Hi, Nice work. I also played recently with netlogon, have you see my PR #1848 ?

🌻

I just saw your PR, nice job!

anadrianmanrique · 2025-02-19T02:52:23Z

hello @Ridter . I'm testing your changes with your netsync project. I wasn't able to execute it successfully in the context of this PR. I made a little modification in order to be able to perform AES authentication.

└─$` python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[-] can't concat str to bytes

This issue was addressed in the context of #1848. In the context of that PR the test executed successfully

└─$ python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for COMPUTEST$ using credentials for DC25$
[-] No such user: COMPUTEST$ with channel: ServerSecureChannel
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 6135372a478be0905a376bf327cddb8b

@Ridter I'm trying to figure out which scenario triggers the issue that it's being fixed with this PR. Can you help me with that?
Also, #1848 since it's already ready to be merged, changes in this PR will have to be rebased.
Thanks

Ridter · 2025-02-25T06:02:49Z

hello @Ridter . I'm testing your changes with your netsync project. I wasn't able to execute it successfully in the context of this PR. I made a little modification in order to be able to perform AES authentication.

└─$` python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[-] can't concat str to bytes

This issue was addressed in the context of #1848. In the context of that PR the test executed successfully

└─$ python3 netsync.py vb25.local/'DC25$'@dc25 -hashes :f498d5e9ade8b9027377574bc6d5f060 -a COMPUTEST$ -ns 192.0.2.69

  _   _      _   ____
 | \ | | ___| |_/ ___| _   _ _ __   ___
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/

[*] HostName: dc25.vb25.local -> Resolved: 192.0.2.69
[*] Using domain controller: dc25.vb25.local for domain vb25.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for COMPUTEST$ using credentials for DC25$
[-] No such user: COMPUTEST$ with channel: ServerSecureChannel
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 6135372a478be0905a376bf327cddb8b

@Ridter I'm trying to figure out which scenario triggers the issue that it's being fixed with this PR. Can you help me with that? Also, #1848 since it's already ready to be merged, changes in this PR will have to be rebased. Thanks

Hi, @anadrianmanrique . The previous code only implemented netsync through strong key. Now, based on PR #1848, I have added support for AES. The current code is fully functional and ready to use.

Using AESKey authentication

Using StrongKey authentication

ThePirateWhoSmellsOfSunflowers · 2025-02-25T08:37:46Z

Hello,

I think you should reopen a PR with only netsync.py because the script currently works without any library modifications.

🌻

Ridter · 2025-02-25T13:51:18Z

Hello,

I think you should reopen a PR with only netsync.py because the script currently works without any library modifications.

🌻

@ThePirateWhoSmellsOfSunflowers Hi. To run netsync.py, you need to modify getSSPType1 in rpcrt.py, otherwise, it will fail to execute. If you need me to submit a separate PR, I can roll back the current commit and submit a separate PR.

anadrianmanrique · 2025-02-25T14:42:11Z

Hello @Ridter, thanks for clarification about strong key. Regarding the latest changes I think netsync.py should be removed from this PR, as it is not part of the scope of the original.
As @ThePirateWhoSmellsOfSunflowers mentioned, if you want us to evaluate netsync.py to integrate as a new example, you should create a new PR to review it in that context. Considering that netsync https://github.com/Ridter/netsync/ it's already its own project I wouldn't encourage you to do that though.
Thanks

ThePirateWhoSmellsOfSunflowers · 2025-02-25T15:52:18Z

@ThePirateWhoSmellsOfSunflowers Hi. To run netsync.py, you need to modify getSSPType1 in rpcrt.py, otherwise, it will fail to execute. If you need me to submit a separate PR, I can roll back the current commit and submit a separate PR.

@Ridter The script works without modifying rpcrt.py on my box

$ python netsync.py -a 'KINGSLANDING$' -hashes :1b67a814138bd1bf2d15e362935b271c sevenkingdoms.local/'KINGSLANDING$'@kingslanding.sevenkingdoms.local

  _   _      _   ____                   
 | \ | | ___| |_/ ___| _   _ _ __   ___ 
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__ 
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/            

[*] HostName: kingslanding.sevenkingdoms.local -> Resolved: 192.168.56.10
[*] Using domain controller: kingslanding.sevenkingdoms.local for domain sevenkingdoms.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for KINGSLANDING$ using credentials for KINGSLANDING$
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 1b67a814138bd1bf2d15e362935b271c

anadrianmanrique · 2025-02-25T20:50:36Z

@Ridter also, your branch should be rebased : git rebase master

* Fix SMB2 compoud response signing Fix the signing the logic when responding with an SMB2 compount response. The signature will include the padding of each compound element and include the next offset value before signing the data. * Pad all SMB2 packets, even the last in a compound response

Co-authored-by: Lucas Vater <lucas.vater@redteam-pentesting.de>

…ortra#1859) * Fix file length not matching file name because of multi-byte UTF-16 * Apply suggestions from code review Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com> --------- Co-authored-by: alexisbalbachan <alexisbalbachan@gmail.com>

* add EvtRpcRegisterControllableOperation and EvtRpcClearLog to even6 protocol * add EvtRpcExportLog request to even6 * add tests for even6 EvtRpcClearLog and EvtRpcExportLog requests * minor changes in even6

* Update socksserver.py Fixes fortra#1575 by parsing the target hostname correctly from commands run through ntlmrelayx's socks5 proxy. * Update socksserver.py Fix hostname parsing

Co-authored-by: laxa <laxa@ddracepro.net>

* fix netlogon implementation * add AES option when netlogon is used as SSP

Ridter · 2025-02-26T02:23:37Z

@Ridter also, your branch should be rebased : git rebase master

Done，😊

Ridter · 2025-02-26T02:30:52Z

@ThePirateWhoSmellsOfSunflowers Hi. To run netsync.py, you need to modify getSSPType1 in rpcrt.py, otherwise, it will fail to execute. If you need me to submit a separate PR, I can roll back the current commit and submit a separate PR.

@Ridter The script works without modifying rpcrt.py on my box

$ python netsync.py -a 'KINGSLANDING$' -hashes :1b67a814138bd1bf2d15e362935b271c sevenkingdoms.local/'KINGSLANDING$'@kingslanding.sevenkingdoms.local

  _   _      _   ____                   
 | \ | | ___| |_/ ___| _   _ _ __   ___ 
 |  \| |/ _ \ __\___ \| | | | '_ \ / __|
 | |\  |  __/ |_ ___) | |_| | | | | (__ 
 |_| \_|\___|\__|____/ \__, |_| |_|\___|
                       |___/            

[*] HostName: kingslanding.sevenkingdoms.local -> Resolved: 192.168.56.10
[*] Using domain controller: kingslanding.sevenkingdoms.local for domain sevenkingdoms.local
[*] Capabilities: 1093586756
[*] Authenticated successfully! have these capabilities: SupportsRC4, DoesNotRequireValidationLevel2, SupportsRefusePasswordChange, SupportsNetrLogonSendToSam, SupportsGenericPassThroughAuthentication, SupportsConcurrentRpcCalls, SupportsStrongKeys, SupportsTransitiveTrusts, SupportsNetrServerPasswordSet2, SupportsNetrLogonGetDomainInfo, SupportsCrossForestTrusts, SupportsRodcPassThroughToDifferentDomains, SupportsAESAndSHA2, SupportsSecureRpc
[*] Tring to sync password for KINGSLANDING$ using credentials for KINGSLANDING$
[*] Decrypt Old Hash: 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Decrypt New Hash: 1b67a814138bd1bf2d15e362935b271c

Hi，@ThePirateWhoSmellsOfSunflowers, when I usenetsync.py with the latest code from the master branch, the following error occurs."

anadrianmanrique · 2025-02-26T16:30:59Z

@Ridter this PR branch is still not rebased. There are 15 files with differences. I suggest to close this PR and reopen a clean new one with your changes, so we can move forward more quickly with the merge.
I will reference this PR in the new one.
Thanks

Ridter · 2025-02-27T02:37:54Z

reopen a clean

Reopen at #1908

ThePirateWhoSmellsOfSunflowers · 2025-02-27T08:41:08Z

@ThePirateWhoSmellsOfSunflowers, when I usenetsync.py with the latest code from the master branch, the following error occurs.

My bad, I manage to trigger the error.

However it's because you call set_credentials with your domain FQDN cgdomain.com instead of the NETBIOS one cgdomain.

if hasattr(rpctransport, 'set_credentials'):
    # This method exists only for selected protocol sequences.
    rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
                                 '')

🌻

Ridter · 2025-02-27T12:16:46Z

@ThePirateWhoSmellsOfSunflowers, when I usenetsync.py with the latest code from the master branch, the following error occurs.

My bad, I manage to trigger the error.

However it's because you call set_credentials with your domain FQDN cgdomain.com instead of the NETBIOS one cgdomain.
if hasattr(rpctransport, 'set_credentials'):
    # This method exists only for selected protocol sequences.
    rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
                                 '')
🌻

Yes, the getSSPType1 function only supports NL_AUTH_MESSAGE_NETBIOS_DOMAIN. I have added support for NL_AUTH_MESSAGE_DNS_DOMAIN. 😁

anadrianmanrique · 2025-02-27T12:57:45Z

following up in #1908

fixed RPC_C_AUTHN_NETLOGON auth error

b200cf3

anadrianmanrique self-assigned this Jan 16, 2025

anadrianmanrique added the in review This issue or pull request is being analyzed label Jan 16, 2025

anadrianmanrique added the waiting for response Further information is needed from people who opened the issue or pull request label Feb 20, 2025

Ridter force-pushed the fixed_netlogon_auth_error branch from 1c07279 to b200cf3 Compare February 26, 2025 01:57

fixed netsync aes error

d14ca4c

Ridter force-pushed the fixed_netlogon_auth_error branch from 1b49c25 to d14ca4c Compare February 26, 2025 02:10

jborean93 and others added 12 commits February 26, 2025 10:17

Fix directory traversal for smbComDeleteDirectory() (fortra#1864)

c569df2

changepasswd.py: improved error handling (fortra#1865)

a652074

Include version string vor win build 26100 (fortra#1874)

fc8756d

ntlmrelayx: support upn format + oem encoding (fortra#1833)

2e6739f

Co-authored-by: Lucas Vater <lucas.vater@redteam-pentesting.de>

add more requests to even6 protocol (fortra#1798)

b6c524d

* add EvtRpcRegisterControllableOperation and EvtRpcClearLog to even6 protocol * add EvtRpcExportLog request to even6 * add tests for even6 EvtRpcClearLog and EvtRpcExportLog requests * minor changes in even6

Fix SOCKS Target Parsing (fortra#1843)

365ce50

* Update socksserver.py Fixes fortra#1575 by parsing the target hostname correctly from commands run through ntlmrelayx's socks5 proxy. * Update socksserver.py Fix hostname parsing

Use logging.info to handle -ts switch properly (fortra#1884)

c33cdc1

Co-authored-by: laxa <laxa@ddracepro.net>

small grammar fix (fortra#1896)

2f77bd9

Fix netlogon implementation (fortra#1848)

4ca110a

* fix netlogon implementation * add AES option when netlogon is used as SSP

Remove random print (fortra#1897)

cd332a7

Ridter mentioned this pull request Feb 27, 2025

Modify the getSSPType1 method to support NL_AUTH_MESSAGE_DNS_DOMAIN. #1908

Merged

Merge branch 'fortra:master' into fixed_netlogon_auth_error

5a4ba75

anadrianmanrique closed this Feb 27, 2025

Conversation

Ridter commented Jan 8, 2025

Uh oh!

ThePirateWhoSmellsOfSunflowers commented Jan 8, 2025

Uh oh!

Ridter commented Jan 8, 2025

Uh oh!

anadrianmanrique commented Feb 19, 2025

Uh oh!

Ridter commented Feb 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ThePirateWhoSmellsOfSunflowers commented Feb 25, 2025

Uh oh!

Ridter commented Feb 25, 2025

Uh oh!

anadrianmanrique commented Feb 25, 2025

Uh oh!

ThePirateWhoSmellsOfSunflowers commented Feb 25, 2025

Uh oh!

anadrianmanrique commented Feb 25, 2025

Uh oh!

Ridter commented Feb 26, 2025

Uh oh!

Ridter commented Feb 26, 2025

Uh oh!

anadrianmanrique commented Feb 26, 2025

Uh oh!

Ridter commented Feb 27, 2025

Uh oh!

ThePirateWhoSmellsOfSunflowers commented Feb 27, 2025

Uh oh!

Ridter commented Feb 27, 2025

Uh oh!

anadrianmanrique commented Feb 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

13 participants

Ridter commented Feb 25, 2025 •

edited

Loading