Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Add hash modes 19600 (krb5tgs enctype 17) and 19700 (krb5tgs enctype 18) #1955
The jtr implementation should also be there soon (cc @kholia)
This addresses issue #1384. Furthermore, #1386 being a subset of the algorithms implemented within this PR, it would be trivial to create such a new hash format and also close this issue (I'll do it later). Finally, this implementation could also permit to close #959 as same algorithms are involved... Later again
How does it work
(not so) TL;DR: within a Windows Active Directory environment, registered services (as MsSQL or so) rely on a domain account in order to be functional.
So, having a valid domain user account, you can request tickets of accounts having a SPN and try to retrieve the password of concerned accounts
Active Directory offers 4 algorithms to generate the encryption key:
I had already implemented enctype 23 back in the days but enctype 17 and 18 were missing, so here they are!
How can I haz ticketz?
Back in the days I coded a private tool (kerberom) based on the amazing impacket from @asolino. Then other tools became public and the attack is now within the impacket suite (GetUserSPNs.py).
Guys... we are in 2019... you should now use Managed Service Accounts. If not possible, create a dedicated domain account having a random password!
Provided a rig of 8 GTX 1080Ti:
The performances are not good compared to the RC4 algorithm, but meh you know... PBKDF2, AES, etc.
@HarmJ0y and @PyroTek3 described all the mechanisms involved in these kinds of attacks. They also give a lot of insights on Active Directory on a global basis. I highly recommend you to read their awesome blogs (harmj0y's one and PyroTek3's one) whether you are a beginner or a confirmed Windows administrator/pentester.
I hope you have all the information you need to Kerberoast a bit now
PS: a big thanks to @skelsec who provided the algorithm and convinced me to implement it in hashcat as I was being lazy...