Problem with crackmapexec asreproast

pokolhaboru · January 15, 2023, 6:24am

Hey Guys,

The topic is # Finding ASREPRoastable Accounts

When I run

crackmapexec ldap dc01.inlanefreight.htb -u users.txt -p ' ' --asreproast asreproast.out

I receive an error

SMB         dc01.inlanefreight.htb 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:inlanefreight.htb) (signing:True) (SMBv1:False)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/krb5/kerberosv5.py", line 61, in sendReceive
    af, socktype, proto, canonname, sa = socket.getaddrinfo(targetHost, 88, 0, socket.SOCK_STREAM)[0]
  File "/usr/lib/python3.10/socket.py", line 955, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 257, in main
    asyncio.run(
  File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.10/asyncio/base_events.py", line 649, in run_until_complete
    return future.result()
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 105, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 69, in run_protocol
    await asyncio.wait_for(
  File "/usr/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/usr/lib/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/ldap.py", line 82, in __init__
    connection.__init__(self, args, db, host)
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 65, in __init__
    self.proto_flow()
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 101, in proto_flow
    if self.login() or (self.username == '' and self.password == ''):
  File "/usr/lib/python3/dist-packages/cme/connection.py", line 261, in login
    elif self.plaintext_login(self.domain, usr.strip(), password): return True
  File "/usr/lib/python3/dist-packages/cme/protocols/ldap.py", line 407, in plaintext_login
    hash_TGT = KerberosAttacks(self).getTGT_asroast(self.username)
  File "/usr/lib/python3/dist-packages/cme/protocols/ldap/kerberos.py", line 189, in getTGT_asroast
    r = sendReceive(message, domain, self.kdcHost)
  File "/usr/lib/python3/dist-packages/impacket/krb5/kerberosv5.py", line 65, in sendReceive
    raise socket.error("Connection error (%s:%s)" % (targetHost, 88), e)
OSError: [Errno Connection error (INLANEFREIGHT.HTB:88)] [Errno -2] Name or service not known

Anybody can help me?

pokolhaboru · January 15, 2023, 7:06am

I found the problem:

solution is --kdcHost and one user witth password

SquareZer0 · April 18, 2023, 2:05am

crackmapexec ldap -dc-ip 10.129.55.181 --kdcHost dc01.inlanefreight.htb -u nicole -p Inlanefreight02! --asreproast asreproast.out
I tried with grace username:password as well
Still getting error

pokolhaboru · April 18, 2023, 10:59am

just read the message " ARE YOU SURE IS LDAP SERVICE IS RUNNING ON TARGET"

TanzilR · May 20, 2023, 12:15pm

Instead of the domain/DNS name, you have to use IP address. It should work. I think it’s a bug with Crackmapexec.

TanzilR · May 20, 2023, 12:16pm

For Example:

Blockquote
crackmapexec ldap 10.10.10.xx -u ‘user-name’ -p ’ ’ --asreproast asrep.out

pedro · August 25, 2023, 7:40am

I get the same issue. LDAP is actually running on my domain controller while I can definitelly run queries with ldapsearch.

I’m unable to find any fix on internet

pedro · August 25, 2023, 9:09am

Quick fix:
I just needed to add the tld of my dc in my hosts file because cme by default is using target ip as kdchost

emdeh · October 17, 2023, 10:38pm

So I have found that to get something like this command to work

crackmapexec ldap dc01.inlanefreight.htb -u grace -p 'Inlanefreight01!' --kerberoasting kerberoasting.out

I need to add both the inlanefreight.htb and dc01.inlanefreight.htb to my hosts file:
10.129.255.79 dc01.inlanefreight.htb inlanefreight.htb

I don’t know if this is obvious to others, but it wasn’t for me so sharing in cases it’s helpful.

Topic		Replies	Views
Using CrackMapExec - Skills Assessment Academy	1	249	March 14, 2024
Issue when running Crackmapexecs --continue-on-success flag Off-topic enumeration , crackmapexec	1	1626	June 6, 2020
python error message Off-topic	10	7806	March 3, 2023
PASSWORD ATTACKS -- crackmapexec instalation Academy failed , crackmapexec , install	12	5214	November 26, 2024
Using CrackMapExec: Gathering Information with an Account - MSSQL Enumeration and Attacks Academy crackmapexec , mssqlclient-py	1	305	March 19, 2024

Problem with crackmapexec asreproast

Related topics