Request TGTs with AES Encryption when performing computer account samaccountname spoofing

[JoeDibley]

Provides the capability to request TGT tickets for computer accounts which have been renamed but not had their password updated.

This change was born from the Computer SAMAccountName spoofing vulnerability which microsoft patched in the Nov 9th Updates. CVE-2021-42278.

Without this change it is only possible to use RC4 Kerberos Encryption on the spoofed TGT for the domain controller.

Usage

.\Rubeus.exe asktgt /user:DC2 /enctype:aes256 /oldsam:comp1 /password:Password1 /domain:domain.local /dc:dc2.domain.local /nowrap 

Proof of the salt Here is an output of a DCSync showing the SAMAccountName is DC2 but the salt is still the original computername.

[HarmJ0y]

Seems good to me, any objections @0xe7 ?

[0xe7]

yeah, looks good, it's because the salt is generated from the dnshostname, which doesn't change when you change the samaccountname.