Common Tool Errors - Kerberos
So you are performing your favourite kerberos attacks, such as pass the ticket, Public Key Cryptography for Initial Authentication (PKINIT), Shadow Credentials or Active Directory Certificate Services (AD CS) vulnerabilities but you run into a kerberos error and despite troubleshooting you're still none-the-wiser on what todo?
Well here's a quick post on the different errors you might encounter, what the root cause of them is and what you might want todo to fix your commands. Originally I was going to write a full blog post with all the different errors, all the different tools and all the different outcomes but I figured it may be easier to just write a github pages app to do it making it easier to reference, therefore here is Kerberos Errorism Index:
Domain SIDs
Before diving into Kerberos, you might find that from running Certipy or BloodHound-type commands and tools you end up with SIDs that are unresolved. Here's a quick handy reference table to help you with your struggles:
| Principal | SID/RID |
|---|---|
| Administrator | S-1-5-21-*-500 |
| Guest | S-1-5-21-*-501 |
| krbtgt | S-1-5-21-*-502 |
| Domain Admins | S-1-5-21-*-512 |
| Domain Users | S-1-5-21-*-513 |
| Domain Computers | S-1-5-21-*-515 |
| Domain Controllers | S-1-5-21-*-516 |
| Enterprise Admins | S-1-5-21-*-519 |
| Group Policy Creator Owners | S-1-5-21-*-520 |
| Readonly Domain Controllers | S-1-5-21-*-521 |
This is especially important when it comes to identifying AD CS ESC* attacks as often it can be the difference between knowing what the SID for Domain Users is or Domain Admins that leads to successful priv esc!
Kerberos 101
If you have ever received a KRB-ERROR when performing attacks these messages are part of the Kerberos protocol, where each one includes an error code that helps identify the specific error type.
There are several types that you may encounter and the subsections below will break down each, what the root cause is, what tools you might encounter them with and most importantly the correct command to fix it.
- KDC_ERR_NONE (0): No error.
- KDC_ERR_NAME_EXP (1): The client’s account or password has expired.
- KDC_ERR_SERVICE_EXP (2): The service’s account has expired.
- KDC_ERR_BAD_PVNO (3): The requested protocol version isn’t supported.
- KDC_ERR_C_OLD (4) & KDC_ERR_S_OLD (5): The client’s or service’s key is too old.
- KDC_ERR_CANNOT_USE (6): The client is not found in the database.
- KDC_ERR_MUST_USE_USER2USER (7): Indicates that user-to-user authentication is required.
- KDC_ERR_SVC_UNAVAILABLE (9): The service is unavailable.
- KDC_ERR_ETYPE_NOTSUPP (11): The encryption type isn’t supported by the KDC.
- KRB_AP_ERR_BAD_INTEGRITY (14): The integrity check on the decrypted data failed.
- KRB_AP_ERR_TKT_EXPIRED (15): The ticket has expired.
- KRB_AP_ERR_TKT_NYV (16): The ticket is not yet valid.
- KRB_AP_ERR_REPEAT (17): The request appears to be a replay.
- KRB_AP_ERR_NOT_US (18): The ticket was not issued for the service it was presented to.
- KRB_AP_ERR_BADMATCH (19): The ticket and authenticator don’t match.
- KDC_ERR_MODIFIED (20): Often encountered when there’s an SPN misconfiguration or duplicate entries.
- KDC_ERR_CLIENT_REVOKED (31): The client account has been revoked or disabled.
- KDC_ERR_SERVICE_REVOKED (32): The service account has been revoked.
- KDC_ERR_KEY_EXPIRED (36): The client’s (or service’s) key (often reflecting a password) has expired.
- KDC_ERR_PREAUTH_FAILED (37): Preauthentication failed—commonly due to clock skew, wrong password, or a disabled account.
- KDC_ERR_PREAUTH_REQUIRED (38): The KDC requires preauthentication.
- KDC_ERR_WRONG_REALM (39): The client is attempting to authenticate in the wrong realm.
In most Windows (Active Directory) environments, a handful of Kerberos errors tend to appear more frequently because they’re directly related to common configuration issues, time synchronization problems, or account status. The most common ones include:
- KDC_ERR_PREAUTH_FAILED (37): This error usually shows up when the supplied credentials (typically a password) are incorrect, when the account’s credentials are out of date, or if preauthentication data isn’t provided as expected.
- KRB_AP_ERR_TKT_EXPIRED (15): This error occurs when a ticket has reached its expiration time, often due to long intervals between ticket renewals.
- KRB_AP_ERR_TKT_NYV (16): A “ticket not yet valid” error is frequently encountered when there is a time skew between the client and the domain controller.
- KDC_ERR_KEY_EXPIRED (36): This indicates that the user or service key (often reflecting a password) has expired, leading to authentication failures.
- KDC_ERR_CLIENT_REVOKED (31): This error is seen when an account has been disabled or revoked, preventing the client from obtaining a valid ticket.
- KDC_ERR_WRONG_REALM (39): Misconfiguration between domains or attempts to authenticate to the wrong realm can trigger this error.
These errors are most common because they are directly tied to issues that occur regularly in Windows domains, such as password changes, time synchronization problems, or misconfigured domain trusts. The actual frequency may vary depending on your environment’s setup and policies.
