Inconsistency between --lsa via NTLM and Kerberos

[Dfte]

It looks like there is some inconsistency between the result of the --lsa option when connecting via NTLM and Kerberos:

Below is the result when dumping lsa via a NTLM authentication:

And here is the result when dumping via Kerberos (-k):

The AES and DES keys for the DC$ account are not dumped.

I'll take a look at why ASAP.

[XiaoliChan]

Maybe something is wrong in impacket. 🧐

[Dfte]

The bug is located in secretsdump, function getMachineKerberosSalt(). Using Kerberos, Impacket is not able to obtain the domain FQDN and the computer name which are required to build the salt used to decrypt AESKeys.

The following code patches the bug:

def getMachineKerberosSalt(self):
       """
       Returns Kerberos salt for the current connection if
       we have the correct information
       """
       # Patched by @Defte_ when using Kerberos, the getServerName function returns nothing
       # But we do need the domain FQDN as well as the computer name
       if self.__smbConnection.getServerName() == '':
           # To do we can request the getMachineNameAndDomain() which returns:
           #   - The computer name
           #   - The domain name (not FQDN so we don't need that hence the _)
           # Using the getRemoteHost function we can get the DC FQDN to which we substract the computer name
           # One we have the domain FQDN and the computer name we can compute the Kerberos salt
           host, _ = self.getMachineNameAndDomain()
           domain = self.__smbConnection.getRemoteHost().split(f"{host.lower()}.")[1]
           LOG.debug(f"[Secretsdump][getMachineKerberosSalt] {host}.{domain}")
       else:
           host = self.__smbConnection.getServerName()
           domain = self.__smbConnection.getServerDNSDomainName()
       salt = b'%shost%s.%s' % (domain.upper().encode('utf-8'), host.lower().encode('utf-8'), domain.lower().encode('utf-8'))
       return salt

And now we can obain the AESKeys as well via --lsa -k

Leaving this issue open until fix is merged in both fortra/theporgs/our impacket ?

[XiaoliChan]

@Dfte This is a Really nice patch, I think this should be made a PR in fortra's upstream

[Dfte]

I'll PR this in the afternoon yeah!

[Dfte]

PR's done, we'll have to wait for it to be merged :)

fortra/impacket#1628

[mpgn]

Hello @Dfte can you do the same pr on https://github.com/Pennyw0rth/impacket/tree/gkdi ? :)

[NeffIsBack]

Closed as fixed in Pennyw0rth/impacket#3

[mpgn]

Reverted, PR on impacket has not been tested once i think:

• there is space and tab mix on the PR
• if you fix the space / tab problem, you have a stacktrace