Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Help understanding limitations of "KDC_ERR_PADATA_TYPE_NOSUPP"

See original GitHub issue

Hello!

Certipy has identified a number of templates in this environment vulnerable to ESC1. I’ve done:

certipy req 'victim.domain/myuser@fqdn.of.ca.server' -ca 'CA-NAME' -template 'VULNERABLETEMPLATE' -k -no-pass -alt 'domainadmin@victim.domain'

I got a domainadmin.pfx and I’m ready to test it out.

When I do certipy auth -pfx domainadmin.pfx -dc-ip ip.of.domain.controller I get:

[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

Upon checking this repo’s issues, I came across this one leading me to believe I can use this blog/tool to abuse this path via Linux, but from your blog it’s my understanding that if the CA is fully patched, this is a dead end.

To further confuse me, this blog makes me think abuse still is possible, but this content looks to be specifically about abuse when you’ve obtained the cert for a domain controller (which I have not).

Would you point me in the right direction - just so I’m not chasing a dead end?

Issue Analytics

State:
Created a year ago
Comments:14 (3 by maintainers)

Top GitHub Comments

2reactions

the-useless-onecommented, Jul 29, 2022

Sure, thanks!

2reactions

7MinSeccommented, Jul 29, 2022

HOLY SCHNIKES IT WORKED!!!

Oh my gosh thank you @the-useless-one and @ly4k so, so much for sharing your great expertise and tooling. I have been on this pentest for weeks, picking at all sorts of things that led to dead ends. I initially thought this whole KDC_ERR_PADATA_TYPE_NOSUPP was something to do with the cert configuration being protected with defensive measures (according to a colleague), so I went right past it early in the engagement. It was so fun to circle back to the issue, get outstanding support from the two of you, and finally find a path to DA!

Are you both ok with me giving you a shoutout in an upcoming podcast episode?

Top Results From Across the Web

4771(F) Kerberos pre-authentication failed. (Windows 10)

The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.

Event Id 4771 - Kerberos pre-authentication failed - ShellGeek

Let's understand event ID 4771 in detail with its fields. ... by local limits, or limits selected by the individual principal or server....

The Kerberos Network Authentication Service (V5) RFC 4120

Ticket A record that helps a client authenticate itself to a server; ... limits or limits imposed by the individual principal or server....

RFC 1510: The Kerberos Network Authentication Service (V5)

Ticket A record that helps a client authenticate itself to a server; it contains the ... The KDC may limit how far in...

Windows Event ID 4771 - Kerberos pre-authentication failed

... Customer Support Software | Help Desk Software | Remote Support Software ... 0x10, KDC_ERR_PADATA_TYPE_NOSUPP, KDC has no support for the PADATA type ......