Secretsdump errors with "Unknown DCE RPC fault status code: 00000057" when executed against a RODC
dkjajhqu2h3j opened this issue · 1 comments
dkjajhqu2h3j commented
Configuration
impacket version: 0.11.0
Python version: 3.11.6
Target OS: Windows Server 2019 (10.0.17763 N/A Build 17763)
Issue
I am trying to dump the AES256 key of a RODC's Kerberos service account cached in LSA on a RODC using secretsdump. If I use the default DRSUAPI mode I get the error "Unknown DCE RPC fault status code: 00000057". If I use the VSS mode I can dump the NTLM hash of the service account but I get no AES256 key. Mimikatz can successfully dump the AES256 key but I would prefer to not use that.
![Skärmbild 2023-12-20 102531](https://private-user-images.githubusercontent.com/153735386/291845144-b7b4a237-23a3-43b5-8cc3-b3e6654d493b.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTM0NTM5MjMsIm5iZiI6MTcxMzQ1MzYyMywicGF0aCI6Ii8xNTM3MzUzODYvMjkxODQ1MTQ0LWI3YjRhMjM3LTIzYTMtNDNiNS04Y2MzLWIzZTY2NTRkNDkzYi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNDE4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDQxOFQxNTIwMjNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT03Nzk2NmUzMzdkMTk1YmFjNGEzYTI0YjFmMmE0ZWYxZWU5ZDA3YjRjYzRjMWVkNmJjMzEwMjM4OWMzNGFhYWU0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.FzeMSeSZPLNSWlqWPoY7EvAAQVx_fiP4cYURvZHSk3E)
I am aware that it is not possible to DCSync a RODC but that is not what I do. I am dumping LSA.
Thanks!