Kerberos cname encoding using pfx authentication wrong #963
Description
Describe the bug
Authentication with pfx certificates encodes the cname improper, which results in
nxc:
nxc --debug ldap -u 'ADMINISTRATöR' -d hack.lu --pfx-cert administratör.pfx -- 10.244.0.10
[20:13:46] DEBUG NXC VERSION: 1.4.0 - SmoothOperator - 3d407b47 - 1009 netexec.py:82
DEBUG PYTHON VERSION: 3.13.8 (main, Oct 7 2025, 12:01:51) [Clang 17.0.0 (clang-1700.3.19.1)] netexec.py:83
DEBUG RUNNING ON: Darwin Release: 25.0.0 netexec.py:84
DEBUG Passed args: Namespace(version=False, threads=256, timeout=None, jitter=None, verbose=False, debug=False, no_progress=False, log=None, force_ipv6=False, dns_server=None, netexec.py:85
dns_tcp=False, dns_timeout=3, protocol='ldap', target=['10.244.0.10'], username=['ADMINISTRATöR'], password=[], cred_id=[], ignore_pw_decoding=False, no_bruteforce=False,
continue_on_success=False, gfail_limit=None, ufail_limit=None, fail_limit=None, kerberos=False, use_kcache=False, aesKey=None, kdcHost=None, pfx_cert='administratör.pfx',
pfx_base64=None, pfx_pass=None, pem_cert=None, pem_key=None, module=None, module_options=[], list_modules=None, show_module_options=False, hash=[], port=389,
domain='hack.lu', local_auth=False, asreproast=None, kerberoasting=None, kerberoast_account=None, no_preauth_targets=None, base_dn=None, query=None,
find_delegation=False, trusted_for_delegation=False, password_not_required=False, admin_count=False, users=None, users_export=None, groups=None, computers=False,
dc_list=False, get_sid=False, active_users=None, pso=False, pass_pol=False, gmsa=False, gmsa_convert_id=None, gmsa_decrypt_lsa=None, bloodhound=False,
collection='Default')
DEBUG Protocol: ldap netexec.py:141
DEBUG Protocol Path: /Users/roman/.local/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/ldap.py netexec.py:144
DEBUG Protocol DB Path: /Users/roman/.local/pipx/venvs/netexec/lib/python3.13/site-packages/nxc/protocols/ldap/database.py netexec.py:146
[20:13:47] DEBUG Protocol Object: <class 'protocol.ldap'>, type: <class 'type'> netexec.py:149
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:151
DEBUG DB Path: /Users/roman/.nxc/workspaces/default/ldap.db netexec.py:154
DEBUG Creating ThreadPoolExecutor netexec.py:45
DEBUG Creating thread for <class 'protocol.ldap'> netexec.py:48
INFO Socket info: host=10.244.0.10, hostname=10.244.0.10, kerberos=False, ipv6=False, link-local ipv6=False connection.py:177
DEBUG Kicking off proto_flow connection.py:239
INFO Connecting to ldap://10.244.0.10 with no baseDN ldap.py:178
DEBUG ldap_connection: <impacket.ldap.ldap.LDAPConnection object at 0x10ba76ba0> ldap.py:182
DEBUG Created connection object connection.py:244
DEBUG Target: DC01.hack.lu; target_domain: hack.lu; base_dn: DC=hack,DC=lu ldap.py:288
DEBUG LDAP signing is enforced on 10.244.0.10 ldap.py:227
[20:13:48] DEBUG LDAPS channel binding is set to 'When Supported' on host 10.244.0.10 ldap.py:253
INFO Resolved domain: hack.lu with dns, kdcHost: 10.244.0.10 ldap.py:334
DEBUG Update Hosts: [{'id': 3, 'ip': '10.244.0.10', 'hostname': 'DC01', 'domain': 'hack.lu', 'os': 'Windows 11 / Server 2025 Build 26100'}] database.py:92
DEBUG add_host() - Host IDs Updated: [3] database.py:102
DEBUG Printing host info for LDAP ldap.py:350
[20:13:48] INFO LDAP 10.244.0.10 389 DC01 Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:hack.lu) (signing:Enforced) (channel binding:When Supported) ldap.py:358
DEBUG Trying to authenticate using Certificate pfx connection.py:555
INFO Loading certificate and key from file pfx.py:478
INFO Requesting TGT pfx.py:496
[20:13:48] INFO LDAP 10.244.0.10 389 DC01 Error Name: KDC_ERR_C_PRINCIPAL_UNKNOWN Detail: "Client not found in Kerberos database" pfx.py:502
DEBUG Calling command arguments connection.py:253
DEBUG Closing connection to: 10.244.0.10
Another tool for pfx usage is keycred:
../keycred/keycred auth --pfx administratör.pfx --dc dc01.hack.lu
hack.lu\ADMINISTRATöR: aad3b435b51404eeaad3b435b51404ee:a6b9330f65063062dc3d567db7d4e695
Ticket saved in ADMINISTRATö[email protected]
The difference between the two AS-REQs is in the encoding of the cname:
Proper administratör from keycred:
0000 41 44 4d 49 4e 49 53 54 52 41 54 c3 b6 52 ADMINISTRAT..R
Improper Administrator from nxc (and certipy):
0000 41 44 4d 49 4e 49 53 54 52 41 54 f6 52 ADMINISTRAT.R
To Reproduce
Create user with special character:
$ bloodyAD -u ADMINISTRATöR -p ":a6b9330f65063062dc3d567db7d4e695" --host 10.244.0.10 add user Usör 'test123!'
[+] Usör created
Request a user certificate:
$ certipy req -u 'Usö[email protected]' -p 'test123!' -ns 10.244.0.10 -template User -ca hack-DC01-CA
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 5
[*] Successfully requested certificate
[*] Got certificate with UPN 'Usö[email protected]'
[*] Certificate object SID is 'S-1-5-21-215134972-1129381140-2588549801-1104'
[*] Saving certificate and private key to 'usör.pfx'
[*] Wrote certificate and private key to 'usör.pfx'
Try to use it using nxc
$ nxc ldap --pfx-cert usör.pfx -u usör -- 10.244.0.10
LDAP 10.244.0.10 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:hack.lu) (signing:Enforced) (channel binding:When Supported)
LDAP 10.244.0.10 389 DC01 [-] Error Name: KDC_ERR_C_PRINCIPAL_UNKNOWN Detail: "Client not found in Kerberos database"
NetExec info
- OS: macos
- Version of nxc: 1.4.0 - SmoothOperator - 3d407b4 - 1009
- Installed from: pipx