Kerberoast: Subscript out of range #1
Comments
|
Is it office 64 bits or 32 bits? Also: can print the value of ResponseSize (use MsgBox) and query the same TGS with mimikatz/rubeus/impacket ? |
64 bit. The script won't work with 32 due to the longlong data type. The SPNs that didn't error had ResponseSizes of around 3055. It was one with a ResponseSize of 0 that triggered the error, I'm assuming is maybe a misconfigured or unreachable SPN. The kirbi files however, don't seem to be the expected hash, attached is one example that didn't cause the error (renamed .log to allow for attaching). |
|
Yep, I can not parse it. Can you paste the whole KERB_RETRIEVE_TKT_RESPONSE? 'Copy KERB_RETRIEVE_TKT_RESPONSE structure to an array
Dim Response() As Byte
Dim Data As String
ReDim Response(0 To ResponseSize)
Call CopyMemory(VarPtr(Response(0)), KerbRetrieveResponse, ResponseSize)
<--- Copy Response to a file |
I'm wondering if it could be some old misconfigured SPNs since I've messed with the test system a lot through the years. Is there a way to target a specific SPN instead of roasting every one in the domain? |
|
Copy the content to a file (you can reuse the loop code) so I can see exactly what is the content and why is failing. In the .kirbi I can see parts that are ok, but others deviates from what I was expecting. To query a TGS for a specific user you can edit the LDAP query: objCommand.CommandText = _
"<LDAP://" & strDomain & ">;(&(samAccountType=805306368)(samAccountName=YOURUSER));,servicePrincipalName;subtree" |
|
Here's Reponse pointed to write to the file in lieu of encodedTicket. Thanks again for helping us learn! |
One of the more fascinating blogs I've come across! Trying the kerberoast.vba POC on my test machine, I'm getting a "Subscript out of range" error at the line that reads the EncodedTicketSize at offset 136. It still generates a .kirbi file but it's full of garbage. Any clue why?
The text was updated successfully, but these errors were encountered: