Giters

GhostPack / Rubeus

Trying to tame the three-headed dog.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Crash when using asktgt with /opsec for a user with preauth disabled

VbScrub opened this issue · comments

commented

If I run this and specify a user that has the "do not require preauth" option enabled:

Rubeus.exe asktgt /domain:kerb.local /user:npuser /password:anything /enctype:aes256 /opsec

It crashes like so:

  v2.0.0

[*] Action: Ask TGT

[*] Using domain controller: kerbdc1.kerb.local (192.168.0.84)
[-] AS-REQ w/o preauth successful! npuser has pre-authentication disabled!

[!] Unhandled Rubeus exception:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Rubeus.Ask.GetPKInitRequest(AS_REQ asReq, PA_PK_AS_REQ& pkAsReq)
   at Rubeus.Ask.HandleASREP(AsnElt responseAsn, KERB_ETYPE etype, String keyString, String outfile, Boolean ptt, LUID luid, Boolean describe, Boolean verbose, AS_REQ asReq, String serviceKey, Boolean getCredentials, String dcIP)
   at Rubeus.Ask.NoPreAuthTGT(String userName, String domain, String keyString, KERB_ETYPE etype, String domainController, String outfile, Boolean ptt, LUID luid, Boolean describe, Boolean verbose)
   at Rubeus.Ask.TGT(String userName, String domain, String keyString, KERB_ETYPE etype, String outfile, Boolean ptt, String domainController, LUID luid, Boolean describe, Boolean opsec, String servicekey, Boolean changepw)
   at Rubeus.Commands.Asktgt.Execute(Dictionary`2 arguments)

This seems to be because HandleASREP expects the asReq argument not to be null and when we call it from the NoPreAuthTGT method we don't pass any value in for that optional argument so it is null.

But even when you fix that by passing in the AS-REQ, the code still crashes because its expecting a keyString value to be in the AS-REQ... but there isn't one, because we didn't need one to do an AS-REQ with no preauth.

I see there's an argument named keyString on the HandleASREP method but it never actually gets used anywhere, so I'm guessing this is how it used to work and then someone changed it to get the key string from the AS-REQ instead. From looking at how this function gets used, I think we could probably change it back to using the keyString argument instead without any problems but I'm wondering if there was a good reason why it got changed in the first place