I'm sure there are a few ways to do this, but this was my dirty first attempt to get it working. Essentially Kerberos AES salts used for AS-REQs are case sensitive. See here for more info: https://github.com/GhostPack/Rubeus/pull/36
Obviously the "correct" approach would be to perform a hollow AS-REQ first, extract the salt, then build the encrypted timestamp. That seems like a pain, so I've just altered the enumuser command to return the case-sensitive result in place of the user-supplied name.
Happy to tweak, make changes, but I figured it might be valuable functionality to other people. I assume if it will get merged, a note in the docs/help would be in order.
I'm sure there are a few ways to do this, but this was my dirty first attempt to get it working. Essentially Kerberos AES salts used for AS-REQs are case sensitive. See here for more info: https://github.com/GhostPack/Rubeus/pull/36
Obviously the "correct" approach would be to perform a hollow AS-REQ first, extract the salt, then build the encrypted timestamp. That seems like a pain, so I've just altered the
enumusercommand to return the case-sensitive result in place of the user-supplied name.Happy to tweak, make changes, but I figured it might be valuable functionality to other people. I assume if it will get merged, a note in the docs/help would be in order.