[GetUserSPNs.py] wrong Salt for AES hashes (etype 17 and 18)

[trietend]

Configuration

impacket version: v0.12.0.dev1+20240327.181547.f8899e65 Python version: 3.10.12

Command

./GetUserSPNs.py DOMAIN\USER:PASS -request
$krb5tgs$18$thisisaveryverylongu$EMEA.ATT.LAB$*emea.att.lab/thisisaveryverylongu*$d8dada0038584e98c5b9c918$7cf40c9c3ea060c3a1e7474087aa31454bec93ac123763ca06a16322c0e3e8f672005ae11309e3d9c828f3b0dd6ce87ddd3bacf77fbb4816d536381a95c6e30509b5752bb811041e1a1570a1a6c518ff17b4d944237577cd176790d93d6bbbce2a2f2d4adea0a39afc7fb48d8f4f17ab74364c9206c0a4019777ad9aa068a44e9b102f1f129229651cfdf638f9ed8bf6d8e85689e711264cf3b0d2e1a429d4a4663868543fe5edd368572925d7721c1520761c2c09c91568c9b151d2b10b36e009e01a6c85c2f72fb2438cba4eaaa634760c9df26507b0ca84f4600ef14e8db00c4802cd4b90d6bb24f0e0f1c40ac7b6d511641d988663ff4cfbf9cd569e36380ea5ce1d9a0fd758f3ba326711d1d9e00941eb4e5bcb81352e76a913fe2acd362d3de9a525790b6bdcfdf9dd3e05fcd005cd5802f9132b3db37b7cd9306410834681e535551a117cd1b461d495f467abe7d4a159f88ceec713c2fa28666436c79d75117b8817d7e8e8e10fb913cc5a0e627c4cd046ef1b00a9ec6216bafb9f958fd20f5753d399c0fb76282d34982fa8da66ee5075f24fad10911c399c05a31b99fc4045886ca79faedb63f4529df7d33a6c9c95a9bb619e1ace5d113ca98d3d88f42ad6d34d5f48491bc4ec9e967e218b90afbb43eb8743a5055c1704ca46240961c7d57952159c92596ebb0b3b77f428f0623a2505931c3bbb3d79e9e6d966369b750774e193f0c1c3fa0e101a6f2cd0e888e9f285a61b61a797fd8c225a97b5a9185e0206017bd42b11ed7ad2e0bbc251d626bdd22e2e873549ae575eeebdb7d13968370f718ba0f2412795c2a9c44799fb85033f89b93db7c57abc209d97bc1ce3020311492b909a05171da94fb168e50499afa28f7582955b4651fd8ab3addbf186bb76c57dece55cdb5ee7ed5addd8a559c01ed9823c0b4fdfd1303997a1f7ebfea7b4695bdaf6bc5aa74f98370cf6a2199a4e02765e779e096ba71df0bf69b44a984dd3eb880a61fb6749cd67a8113c775380b0da46c5ee491d2aef1940e169fe225c558b54722b20837214ace5f510fb364d3fb0557e89d40ec933d0228ed00fedc1c936c7eca6e2190bb84d52a38a01b76d72f9dfa6bde64b1ac12e3d9d2285086de3268a6f7e88f85fa1c7db7085c3fbe0283b1b4f68aa1a406cf744d0810a9a7fc39ed3e2a87f82b28647e30cbd5b1824618954be5b7881dfcd02406b6b32b9e888ddc22c6e8e0fc65096fef1c9cffe3eb8106c89b1255c496654e9b051a88a6853a798ee32f8abc7fdd45e4f3415fea7c9c9acd9a71719d6ceabc69ac0559074264a7202861928d02d959a1908c963fadc891f2e4b9a3fdac1bf5f7528e9a537f96b58d014695ce498175373b82ff8034ab92d9dfce8bfa05cc8df28c0105e8efbaa12eca5e2b7b00818ee29020682540b27a0d68728e129129a58a9114ee63ea81bf395dbd03b6d8e5171cb

Additional context

We discovered an issue on the TGS hashes with etype 17 (AES-128) and etype 18(AES-256). The hash returned by GetUserSPNs.py are build using the sAMAccountName as the result which seems not to be correct.

The first hash shown below is the output of GetUserSPNs.py, which could not be recovered by hashcat. For the second hash we only changed the salt from thisisaveryverylongu to thisisaveryverylongusername. This hash could be recovered. (Password123)

$krb5tgs$18$thisisaveryverylongu$EMEA.ATT.LAB$*emea.att.lab/thisisaveryverylongu*$d8dada0038584e98c5b9c918$7cf40c9c3ea060c3a1e7474087aa31454bec93ac123763ca06a16322c0e3e8f672005ae11309e3d9c828f3b0dd6ce87ddd3bacf77fbb4816d536381a95c6e30509b5752bb811041e1a1570a1a6c518ff17b4d944237577cd176790d93d6bbbce2a2f2d4adea0a39afc7fb48d8f4f17ab74364c9206c0a4019777ad9aa068a44e9b102f1f129229651cfdf638f9ed8bf6d8e85689e711264cf3b0d2e1a429d4a4663868543fe5edd368572925d7721c1520761c2c09c91568c9b151d2b10b36e009e01a6c85c2f72fb2438cba4eaaa634760c9df26507b0ca84f4600ef14e8db00c4802cd4b90d6bb24f0e0f1c40ac7b6d511641d988663ff4cfbf9cd569e36380ea5ce1d9a0fd758f3ba326711d1d9e00941eb4e5bcb81352e76a913fe2acd362d3de9a525790b6bdcfdf9dd3e05fcd005cd5802f9132b3db37b7cd9306410834681e535551a117cd1b461d495f467abe7d4a159f88ceec713c2fa28666436c79d75117b8817d7e8e8e10fb913cc5a0e627c4cd046ef1b00a9ec6216bafb9f958fd20f5753d399c0fb76282d34982fa8da66ee5075f24fad10911c399c05a31b99fc4045886ca79faedb63f4529df7d33a6c9c95a9bb619e1ace5d113ca98d3d88f42ad6d34d5f48491bc4ec9e967e218b90afbb43eb8743a5055c1704ca46240961c7d57952159c92596ebb0b3b77f428f0623a2505931c3bbb3d79e9e6d966369b750774e193f0c1c3fa0e101a6f2cd0e888e9f285a61b61a797fd8c225a97b5a9185e0206017bd42b11ed7ad2e0bbc251d626bdd22e2e873549ae575eeebdb7d13968370f718ba0f2412795c2a9c44799fb85033f89b93db7c57abc209d97bc1ce3020311492b909a05171da94fb168e50499afa28f7582955b4651fd8ab3addbf186bb76c57dece55cdb5ee7ed5addd8a559c01ed9823c0b4fdfd1303997a1f7ebfea7b4695bdaf6bc5aa74f98370cf6a2199a4e02765e779e096ba71df0bf69b44a984dd3eb880a61fb6749cd67a8113c775380b0da46c5ee491d2aef1940e169fe225c558b54722b20837214ace5f510fb364d3fb0557e89d40ec933d0228ed00fedc1c936c7eca6e2190bb84d52a38a01b76d72f9dfa6bde64b1ac12e3d9d2285086de3268a6f7e88f85fa1c7db7085c3fbe0283b1b4f68aa1a406cf744d0810a9a7fc39ed3e2a87f82b28647e30cbd5b1824618954be5b7881dfcd02406b6b32b9e888ddc22c6e8e0fc65096fef1c9cffe3eb8106c89b1255c496654e9b051a88a6853a798ee32f8abc7fdd45e4f3415fea7c9c9acd9a71719d6ceabc69ac0559074264a7202861928d02d959a1908c963fadc891f2e4b9a3fdac1bf5f7528e9a537f96b58d014695ce498175373b82ff8034ab92d9dfce8bfa05cc8df28c0105e8efbaa12eca5e2b7b00818ee29020682540b27a0d68728e129129a58a9114ee63ea81bf395dbd03b6d8e5171cb
$krb5tgs$18$thisisaveryverylongusername$EMEA.ATT.LAB$*emea.att.lab/thisisaveryverylongu*$d8dada0038584e98c5b9c918$7cf40c9c3ea060c3a1e7474087aa31454bec93ac123763ca06a16322c0e3e8f672005ae11309e3d9c828f3b0dd6ce87ddd3bacf77fbb4816d536381a95c6e30509b5752bb811041e1a1570a1a6c518ff17b4d944237577cd176790d93d6bbbce2a2f2d4adea0a39afc7fb48d8f4f17ab74364c9206c0a4019777ad9aa068a44e9b102f1f129229651cfdf638f9ed8bf6d8e85689e711264cf3b0d2e1a429d4a4663868543fe5edd368572925d7721c1520761c2c09c91568c9b151d2b10b36e009e01a6c85c2f72fb2438cba4eaaa634760c9df26507b0ca84f4600ef14e8db00c4802cd4b90d6bb24f0e0f1c40ac7b6d511641d988663ff4cfbf9cd569e36380ea5ce1d9a0fd758f3ba326711d1d9e00941eb4e5bcb81352e76a913fe2acd362d3de9a525790b6bdcfdf9dd3e05fcd005cd5802f9132b3db37b7cd9306410834681e535551a117cd1b461d495f467abe7d4a159f88ceec713c2fa28666436c79d75117b8817d7e8e8e10fb913cc5a0e627c4cd046ef1b00a9ec6216bafb9f958fd20f5753d399c0fb76282d34982fa8da66ee5075f24fad10911c399c05a31b99fc4045886ca79faedb63f4529df7d33a6c9c95a9bb619e1ace5d113ca98d3d88f42ad6d34d5f48491bc4ec9e967e218b90afbb43eb8743a5055c1704ca46240961c7d57952159c92596ebb0b3b77f428f0623a2505931c3bbb3d79e9e6d966369b750774e193f0c1c3fa0e101a6f2cd0e888e9f285a61b61a797fd8c225a97b5a9185e0206017bd42b11ed7ad2e0bbc251d626bdd22e2e873549ae575eeebdb7d13968370f718ba0f2412795c2a9c44799fb85033f89b93db7c57abc209d97bc1ce3020311492b909a05171da94fb168e50499afa28f7582955b4651fd8ab3addbf186bb76c57dece55cdb5ee7ed5addd8a559c01ed9823c0b4fdfd1303997a1f7ebfea7b4695bdaf6bc5aa74f98370cf6a2199a4e02765e779e096ba71df0bf69b44a984dd3eb880a61fb6749cd67a8113c775380b0da46c5ee491d2aef1940e169fe225c558b54722b20837214ace5f510fb364d3fb0557e89d40ec933d0228ed00fedc1c936c7eca6e2190bb84d52a38a01b76d72f9dfa6bde64b1ac12e3d9d2285086de3268a6f7e88f85fa1c7db7085c3fbe0283b1b4f68aa1a406cf744d0810a9a7fc39ed3e2a87f82b28647e30cbd5b1824618954be5b7881dfcd02406b6b32b9e888ddc22c6e8e0fc65096fef1c9cffe3eb8106c89b1255c496654e9b051a88a6853a798ee32f8abc7fdd45e4f3415fea7c9c9acd9a71719d6ceabc69ac0559074264a7202861928d02d959a1908c963fadc891f2e4b9a3fdac1bf5f7528e9a537f96b58d014695ce498175373b82ff8034ab92d9dfce8bfa05cc8df28c0105e8efbaa12eca5e2b7b00818ee29020682540b27a0d68728e129129a58a9114ee63ea81bf395dbd03b6d8e5171cb

Our first guess was that the UPN has to be parsed instead of the sAMAccountName. After implementing this fix, we got better results. But after digging deeper into the issue we noticed that the UPN is also not the correct value here. If we change the UPN, still the old value was used as the salt. We could not find a way to query the salt in the AD.

@dirkjanm then told us that you can retrieve the salt by requesting a TGT for this user without credentials with getTGT.py -no-pass EMEA.ATT.LAB/thisisaveryverylongu. This gives us the correct salt as shown in the picture below.

Steps to reproduce

1. Create a user with a name longer than 20 characters (sAMAccountName is truncated to 20 characters)
2. Activate AES encryption
3. Set a SPN
4. Kerberoast the account
5. change UPN
6. Kerberoast the account again