Support for Kerberoasting without pre-authentication and ST request through AS-REQ

[ShutdownRepo]

@0xe7 published some research on how Service Tickets can be requested through AS-REQs. This, among other things, allows for Kerberoasting attacks through an unauthenticated position by relying on a user configured without pre-authentication.

The "Kerberoasting without pre-authentication" process goes as follows:

1. user = a user that doesn't require pre-authentication
2. service = target service (defined by its name or spn) to kerberoast
3. AS-REQ, without pre-auth, as "user", to obtain a ticket for service
4. Ticket obtained can't be used but relevant information can be extracted for cracking attempt to recover the password/NT hash for service

I also modified getTGT.py and the kerberosv5.py lib to allow getTGT to be used to request service tickets.

The Hacker Recipes : https://www.thehacker.recipes/ad/movement/kerberos/kerberoast#kerberoast-w-o-pre-authentication

[ShutdownRepo]

In this implementation, -no-preauth requires the -usersfile argument linking to a file containing sAMAccountNames or SPNs of accounts to Kerberoast. If the -usersfile argument isn't supplied, the script will attempt an LDAP query, but the creds supplied in the command-line will be invalid and an error will be raised. Switching this PR to draft while I (or someone else) implements a quick check making sure -usersfile is supplied when -no-preauth is used.

[ShutdownRepo]

@anadrianmanrique any news here?

[anadrianmanrique]

Hello, this seems to be a nice improvement for kerbroasting!
In the meanwhile, both GetUserSPNs.py and kerberosv5.py need to be rebased. After that, I'll be able to start code reviewing/testing it.

[ShutdownRepo]

Hello, this seems to be a nice improvement for kerbroasting! In the meanwhile, both GetUserSPNs.py and kerberosv5.py need to be rebased. After that, I'll be able to start code reviewing/testing it.

should be good to go now

[anadrianmanrique]

test are failing:
./impacket/krb5/kerberosv5.py:127:32: F821 undefined name 'service' serverName = Principal(service, type=constants.PrincipalNameType.NT_PRINCIPAL.value) ^ 1 F821 undefined name 'service'

[ShutdownRepo]

test are failing: ./impacket/krb5/kerberosv5.py:127:32: F821 undefined name 'service' serverName = Principal(service, type=constants.PrincipalNameType.NT_PRINCIPAL.value) ^ 1 F821 undefined name 'service'

my bad... fixed now, pipeline ends successfully

[anadrianmanrique]

Have you summited any changes? I've been requested to review changes but I don't see any new

[ShutdownRepo]

Have you summited any changes? I've been requested to review changes but I don't see any new

Indeed, the changes were not pushed for some reason, probably a layer 8 issue
Pushed c31f771 now

[anadrianmanrique]

Have you summited any changes? I've been requested to review changes but I don't see any new

Indeed, the changes were not pushed for some reason, probably a layer 8 issue Pushed c31f771 now

no worries, I'll start the testing process