Add Kerberos authentication and improve usability#2
Conversation
Introduce impacket-style flags to authenticate against the DRSUAPI endpoint using Kerberos: -k / --kerberos use Kerberos (ccache via KRB5CCNAME, then CLI creds) -no-pass / --no-pass skip the password prompt (useful with -k) -aesKey AES 128/256-bits key for Kerberos (implies -k) -dc-host KDC hostname override When -k is set, the DCE-RPC transport is configured with set_kerberos() and the authentication type is switched to RPC_C_AUTHN_GSS_NEGOTIATE.
|
Hello, Thanks for the PR. One thing however: if the 🌻 |
hept_map set the transport's remote name to the -t value (an IP), so the KDC was asked for an ST for host/<ip>@<REALM> and refused with KDC_ERR_S_PRINCIPAL_UNKNOWN. Override the remote name with the DC FQDN from -dc-host while keeping the IP for the TCP connection.
The script previously printed "Trust GUID not found!" for any DCERPCSessionError raised by DRSGetNCChanges, masking the real cause (e.g. ERROR_DS_DRA_ACCESS_DENIED, ERROR_DS_OBJ_NOT_FOUND on a wrong DSA GUID, etc.). Print the impacket exception directly so the underlying NT/DRS code is visible, and list the common causes.
Tools that read objectGUID directly from LDAP (e.g. nxc --query) emit the 16 raw bytes formatted as a dashed UUID without applying the mixed-endian byte swap that ADUC / PowerShell / DSInternals show. impacket.uuid.string_to_bin then re-swaps the first three groups, producing wrong bytes and an ERROR_DS_OBJ_NOT_FOUND from the DC. AD objectGUID values are UUID v4, so in the standard form the third group always starts with '4'. Detect that and pre-swap the input when it doesn't, so both formats resolve to the correct binary GUID.
Goultarde
force-pushed
the
add-kerberos-auth
branch
from
785f006 to
593d039
Compare
|
Hi, Thanks for the catch. You are right, the help didn't match the actual behavior. I updated the -dc-host help and clarified -t so it documents that a FQDN is accepted as well (and amended a TGS reference from a previous commit to ST instead 🫣.) |
|
Hello, The 🌻 |
The "third group starts with 4" heuristic misses raw GUIDs whose standard form is '4Y4W' (1/16 cases). Retry DRSGetNCChanges with swapped GUIDs on failure, and add -r/--raw to skip the heuristic.
|
Hi, yeah so we can't "cleanly" automate this, so I did both:
Or you can just use -r/--raw to specify that it has to be swapped. |
|
Mhhh. Well, I'm not entirely satisfied with the solution, I think I prefer keeping the tool simple: the GUID must be provided in the "human readable" format (aka not the one returned by nxc, sorry). Can you please remove the normalize logic from your PR, I will merge it after that. Anyway, thanks for your contribution 👍 🌻 |
|
No problem, I understand! |
2 participants
I was investigating DC behavior in a trust relationship and ran into this tool, but it didn't work in my environment because Kerberos was not supported. This PR adds that support.
Summary
-k,-no-pass,-aesKey,-dc-host. Switches the DCE-RPC bind toRPC_C_AUTHN_GSS_NEGOTIATEand usesKRB5CCNAME(with CLI fallback) for credentials.-dc-hostis set, override the transport's remote name with the DC FQDN so the SPN is built correctly while keeping the IP for the TCP connection.Trust GUID not found!with the actualDCERPCSessionErrorcode/message, so failures likeERROR_DS_DRA_ACCESS_DENIEDorERROR_DS_OBJ_NOT_FOUNDare visible.nxc --query objectGUID) and pre-swap them so they resolve to the correct binary GUID instead of double-swapping.Test plan
-kwith a TGT inKRB5CCNAMEagainst a DC referenced by-dc-host <fqdn>and-t <ip>succeeds.-k -aesKey <hex>(no ccache) succeeds.-p/--hashes) still works unchanged.nxc --queryand from PowerShellGet-ADObjectboth work.