From 3af5a04e51f572677c9300ca80f58b5abb131e43 Mon Sep 17 00:00:00 2001 From: Defte Date: Sat, 7 Oct 2023 14:29:17 +0200 Subject: [PATCH 1/2] Update secretsdump.py to support retrival of aesKeys via Kerberos This PR fixes the getMachineKerberosSalt function which was not able to compute the Kerbros salt used to obtain aesKeys via secretsdump. --- impacket/examples/secretsdump.py | 33 +++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/impacket/examples/secretsdump.py b/impacket/examples/secretsdump.py index ceb34be89b..61a6cab27f 100644 --- a/impacket/examples/secretsdump.py +++ b/impacket/examples/secretsdump.py @@ -699,19 +699,26 @@ def getDomainSid(self): return self.__domainSid def getMachineKerberosSalt(self): - """ - Returns Kerberos salt for the current connection if - we have the correct information - """ - if self.__smbConnection.getServerName() == '': - # Todo: figure out an RPC call that gives us the domain FQDN - # instead of the NETBIOS name as NetrWkstaGetInfo does - return b'' - else: - host = self.__smbConnection.getServerName() - domain = self.__smbConnection.getServerDNSDomainName() - salt = b'%shost%s.%s' % (domain.upper().encode('utf-8'), host.lower().encode('utf-8'), domain.lower().encode('utf-8')) - return salt + """ + Returns Kerberos salt for the current connection if + we have the correct information + """ + # Patched by @Defte_ when using Kerberos, the getServerName function returns nothing + # But we do need the domain FQDN as well as the computer name + if self.__smbConnection.getServerName() == '': + # To do we can request the getMachineNameAndDomain() which returns: + # - The computer name + # - The NETBIOS domain name (not FQDN so we don't need it hence the _) + # Using the getRemoteHost function we can get the DC's FQDN to which we substract the computer name + # Once we have the domain FQDN and the computer name we can compute the Kerberos salt + host, _ = self.getMachineNameAndDomain() + domain = self.__smbConnection.getRemoteHost().split(f"{host.lower()}.")[1] + LOG.debug(f"[Secretsdump][getMachineKerberosSalt] Host: {host} / Domain FQDN: {domain}") + else: + host = self.__smbConnection.getServerName() + domain = self.__smbConnection.getServerDNSDomainName() + salt = b'%shost%s.%s' % (domain.upper().encode('utf-8'), host.lower().encode('utf-8'), domain.lower().encode('utf-8')) + return salt def getMachineNameAndDomain(self): if self.__smbConnection.getServerName() == '': From 390715c2b8e3ca25fa2f4ce59356364f5a74335d Mon Sep 17 00:00:00 2001 From: Defte Date: Sat, 7 Oct 2023 14:31:38 +0200 Subject: [PATCH 2/2] Update secretsdump.py --- impacket/examples/secretsdump.py | 40 ++++++++++++++++---------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/impacket/examples/secretsdump.py b/impacket/examples/secretsdump.py index 61a6cab27f..e523b19594 100644 --- a/impacket/examples/secretsdump.py +++ b/impacket/examples/secretsdump.py @@ -699,26 +699,26 @@ def getDomainSid(self): return self.__domainSid def getMachineKerberosSalt(self): - """ - Returns Kerberos salt for the current connection if - we have the correct information - """ - # Patched by @Defte_ when using Kerberos, the getServerName function returns nothing - # But we do need the domain FQDN as well as the computer name - if self.__smbConnection.getServerName() == '': - # To do we can request the getMachineNameAndDomain() which returns: - # - The computer name - # - The NETBIOS domain name (not FQDN so we don't need it hence the _) - # Using the getRemoteHost function we can get the DC's FQDN to which we substract the computer name - # Once we have the domain FQDN and the computer name we can compute the Kerberos salt - host, _ = self.getMachineNameAndDomain() - domain = self.__smbConnection.getRemoteHost().split(f"{host.lower()}.")[1] - LOG.debug(f"[Secretsdump][getMachineKerberosSalt] Host: {host} / Domain FQDN: {domain}") - else: - host = self.__smbConnection.getServerName() - domain = self.__smbConnection.getServerDNSDomainName() - salt = b'%shost%s.%s' % (domain.upper().encode('utf-8'), host.lower().encode('utf-8'), domain.lower().encode('utf-8')) - return salt + """ + Returns Kerberos salt for the current connection if + we have the correct information + """ + # Patched by @Defte_ when using Kerberos, the getServerName function returns nothing + # But we do need the domain FQDN as well as the computer name + if self.__smbConnection.getServerName() == '': + # To do we can request the getMachineNameAndDomain() which returns: + # - The computer name + # - The NETBIOS domain name (not FQDN so we don't need it hence the _) + # Using the getRemoteHost function we can get the DC's FQDN to which we substract the computer name + # Once we have the domain FQDN and the computer name we can compute the Kerberos salt + host, _ = self.getMachineNameAndDomain() + domain = self.__smbConnection.getRemoteHost().split(f"{host.lower()}.")[1] + LOG.debug(f"[Secretsdump][getMachineKerberosSalt] Host: {host} / Domain FQDN: {domain}") + else: + host = self.__smbConnection.getServerName() + domain = self.__smbConnection.getServerDNSDomainName() + salt = b'%shost%s.%s' % (domain.upper().encode('utf-8'), host.lower().encode('utf-8'), domain.lower().encode('utf-8')) + return salt def getMachineNameAndDomain(self): if self.__smbConnection.getServerName() == '':