Help understanding limitations of "KDC_ERR_PADATA_TYPE_NOSUPP"

See original GitHub issue

Hello!

Certipy has identified a number of templates in this environment vulnerable to ESC1. I’ve done:

certipy req 'victim.domain/myuser@fqdn.of.ca.server' -ca 'CA-NAME' -template 'VULNERABLETEMPLATE' -k -no-pass -alt 'domainadmin@victim.domain'

I got a domainadmin.pfx and I’m ready to test it out.

When I do certipy auth -pfx domainadmin.pfx -dc-ip ip.of.domain.controller I get:

[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

Upon checking this repo’s issues, I came across this one leading me to believe I can use this blog/tool to abuse this path via Linux, but from your blog it’s my understanding that if the CA is fully patched, this is a dead end.

To further confuse me, this blog makes me think abuse still is possible, but this content looks to be specifically about abuse when you’ve obtained the cert for a domain controller (which I have not).

Would you point me in the right direction - just so I’m not chasing a dead end?

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:14 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
the-useless-onecommented, Jul 29, 2022

Sure, thanks!

2reactions
7MinSeccommented, Jul 29, 2022

HOLY SCHNIKES IT WORKED!!!

Oh my gosh thank you @the-useless-one and @ly4k so, so much for sharing your great expertise and tooling. I have been on this pentest for weeks, picking at all sorts of things that led to dead ends. I initially thought this whole KDC_ERR_PADATA_TYPE_NOSUPP was something to do with the cert configuration being protected with defensive measures (according to a colleague), so I went right past it early in the engagement. It was so fun to circle back to the issue, get outstanding support from the two of you, and finally find a path to DA!

Are you both ok with me giving you a shoutout in an upcoming podcast episode?

Read more comments on GitHub >

github_iconTop Results From Across the Web

4771(F) Kerberos pre-authentication failed. (Windows 10)
The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.
Read more >
Event Id 4771 - Kerberos pre-authentication failed - ShellGeek
Let's understand event ID 4771 in detail with its fields. ... by local limits, or limits selected by the individual principal or server....
Read more >
The Kerberos Network Authentication Service (V5) RFC 4120
Ticket A record that helps a client authenticate itself to a server; ... limits or limits imposed by the individual principal or server....
Read more >
RFC 1510: The Kerberos Network Authentication Service (V5)
Ticket A record that helps a client authenticate itself to a server; it contains the ... The KDC may limit how far in...
Read more >
Windows Event ID 4771 - Kerberos pre-authentication failed
... Customer Support Software | Help Desk Software | Remote Support Software ... 0x10, KDC_ERR_PADATA_TYPE_NOSUPP, KDC has no support for the PADATA type ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found