You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
impacket version: 0.11.0
Python version: 3.11.6
Target OS: Windows Server 2019 (10.0.17763 N/A Build 17763)
Issue
I am attempting the Kerberos Key List attack against a RODC I have in my lab but I cannot get it to work. As you can see below the target user account test1 is a member of the security group Allowed RODC Password Replication Group but not a member of the security group Denied RODC Password Replication Group, I have the name of the RODC's Kerberos service account and its AES256 key, still the Key List attack fails with "User test1 is not allowed to have passwords replicated in RODCs".
The members of the security groups Allowed RODC Password Replication Group and Denied RODC Password Replication Group are:
The values of the attributes msDS-RevealOnDemandGroup and msDS-NeverRevealGroup of the RODC's computer object are:
Impacket error using the default attack mode:
I get the same error targeting the account test1 directly:
Using Rubeus with the parameter "/Keylist" works. I get the NT hash of test1. What can I do to fix this? Thanks!
The text was updated successfully, but these errors were encountered:
dkjajhqu2h3j
changed the title
Kerberos Key List attack - "User test1 is not allowed to have passwords replicated in RODCs"
RODC Key List attack - "User test1 is not allowed to have passwords replicated in RODCs"
Dec 21, 2023
Configuration
impacket version: 0.11.0
Python version: 3.11.6
Target OS: Windows Server 2019 (10.0.17763 N/A Build 17763)
Issue
I am attempting the Kerberos Key List attack against a RODC I have in my lab but I cannot get it to work. As you can see below the target user account
test1
is a member of the security groupAllowed RODC Password Replication Group
but not a member of the security groupDenied RODC Password Replication Group
, I have the name of the RODC's Kerberos service account and its AES256 key, still the Key List attack fails with "User test1 is not allowed to have passwords replicated in RODCs".The members of the security groups
![Skärmbild 2023-12-20 094145](https://private-user-images.githubusercontent.com/153735386/291834164-93d0b876-5c25-418a-afeb-5448197cdd4a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk5ODUxNTMsIm5iZiI6MTcxOTk4NDg1MywicGF0aCI6Ii8xNTM3MzUzODYvMjkxODM0MTY0LTkzZDBiODc2LTVjMjUtNDE4YS1hZmViLTU0NDgxOTdjZGQ0YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzAzJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwM1QwNTM0MTNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1hM2M0ODAxNDc4NmNhNTkwNTJkYzQxNGQ1MTE2M2QwNWJjNjU1NjYzODk3MGI5MDgxNDQ4ZmViOWIxNTQwZWE5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.caOOyY3zJBpLTyzvmrh2eSfnhHLUboerRGYskhzqnb4)
Allowed RODC Password Replication Group
andDenied RODC Password Replication Group
are:The values of the attributes
![Skärmbild 2023-12-20 094214](https://private-user-images.githubusercontent.com/153735386/291834443-d6d77ae4-88db-4b49-bae2-594590aa73d5.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk5ODUxNTMsIm5iZiI6MTcxOTk4NDg1MywicGF0aCI6Ii8xNTM3MzUzODYvMjkxODM0NDQzLWQ2ZDc3YWU0LTg4ZGItNGI0OS1iYWUyLTU5NDU5MGFhNzNkNS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzAzJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwM1QwNTM0MTNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02YzY0MTc1Yzg0N2Q1ZjA1MmNmNWVlZGQ5MTFlNGI3MjMwNTE4MzExZGNjMDU3YjkxYWU2MTEyYzc3M2RlOTYxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.dZ_Ziu266UFc8muZSoW8laQk69Oj7M1LP2M9BCwMd6g)
msDS-RevealOnDemandGroup
andmsDS-NeverRevealGroup
of the RODC's computer object are:Impacket error using the default attack mode:
![Skärmbild 2023-12-20 094242](https://private-user-images.githubusercontent.com/153735386/291835376-2b4b358c-e2ca-4de0-a0e5-98a08945b0d1.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk5ODUxNTMsIm5iZiI6MTcxOTk4NDg1MywicGF0aCI6Ii8xNTM3MzUzODYvMjkxODM1Mzc2LTJiNGIzNThjLWUyY2EtNGRlMC1hMGU1LTk4YTA4OTQ1YjBkMS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzAzJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwM1QwNTM0MTNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1lYWJmZjgxZGY5ZGE4Y2QzYzU3OTk5MDkxODQ5MmNmNmMzMzg1MDE4NjM2OTk4NWZmNDBiYzIwMGZlYzE5NDYzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.DAwDF3rRA4D6zIt4T7zw2QbqjIJr-QE8uxjHuDRk-1E)
I get the same error targeting the account
![Skärmbild 2023-12-20 100545](https://private-user-images.githubusercontent.com/153735386/291839596-9f6f29cb-1d9f-41fd-8a43-ab492bf16ea0.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk5ODUxNTMsIm5iZiI6MTcxOTk4NDg1MywicGF0aCI6Ii8xNTM3MzUzODYvMjkxODM5NTk2LTlmNmYyOWNiLTFkOWYtNDFmZC04YTQzLWFiNDkyYmYxNmVhMC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzAzJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwM1QwNTM0MTNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00YjYyNzFmY2RjNDZhYjMwYmU1ODAxYzBiZThjZTBkYzk3NzRlM2Q1ZTMzYzc3NzlkMTU1MGFkMjA1ZTdjNTFhJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.BHqiYEn4vC3Q1AidkBVXmb5I8Ep2mz-5sa8sxEx2X4U)
test1
directly:Using Rubeus with the parameter "/Keylist" works. I get the NT hash of
test1
. What can I do to fix this? Thanks!The text was updated successfully, but these errors were encountered: