Invalid Type 17/18 Kerberoast hashes

[C-Sto]

Set up a SPN in a test lab with:

net user roastme /add /domain
net user roastme password
setspn.exe -S roast/duck roastme

then set the supported type to aes128 and aes256 in aduc boxy thing

Hashes are below - one retrieved using /SPN and the other with /user . (as I originally thought that it was the lack of user/domain that was breaking it)

Type 23 works fine with exact same account (using tgtdeleg).

hashcat version 6.2.5 fails to crack the things - cli used: -m 19700 -a 3 'passwor?a' --potfile-disable

$krb5tgs$18$*USER$DOMAIN$*roast/duck*$106A2393690E08F57A2601EC$6ECBFD095BEB88D27E00DED937A62CA8F10C3A38EEA48181C55B13ED1266DEC59DEFB17099D08B116C2616F3D4A9D1A67208DA8CE6A1F25269E42A375799071D73E1BC7C87A74E2B011EDE72BB9487A4B41A256972174E4308479E3B7B852F3C86CEE161093200A45530294292033BDC2ADE9C0A48B23371ED4A28495E89FBBEE337013974955227AB85CC050AF81666ABEFC3A4E946CCC6C6183ECAB72A12F57365F0315AD8EDFAB4DD095D5156A49F38C7EDDBAFC85DB04E183208A0593858EEEEC75A406272B5B5FB9050A87403A9A651A56A6999CB7BC26EECAF6489487DAA1B64008EEA29F0248D676874555E52D220274A55583303FD1DC05A582A6BFA308D8A9BBB85D26569417D3AD493EB671AF8E812814DCDFD610D8EE82A7E7F832D5B9436D89D0F1715ACCFEEAFD094D1E52168D410244CDEEF60D0BF418BFACFE38891855C29FEC723F02A94051108DC995B534C18DF840DB2ABCD8077BB7ECBE4FAE176172FCD507FAE5FB72CEC2A77B19997EB45BDE0B89706AD5C077B71A9F38132451D85B049E59D9D2E2981686A9D05632A8BC6552AA570CC5650D30B59BA81FA37AA45789EB2EB1FD0BF8EFA5F61AC47800CC014F912761E811BCD84AE5579AADA92E95651DD78BEA2AB3D39E64E10707B819092C9C4A753B6B52B8450A269BD6FBB8967B2279E99E109FD6ACB4469EBCA1DEA36FEDE53B877EFED5E96BBC3A25CA261304BF1EB8BE7DE1DD2C0E3A6162963E5D79E0A80879B563D087EE4C4822BA5EC35E25F32D4339E9C9E281439B65F64F58354FC8E5C49A358F0015040B52B2422392D7DCB737950D5A6293D60F11213499EBBBD308E07B1986C2AC95EDA3BCAE41C978952D99EDF3F6D1E89281110F135878206F8BB6B39C983EAD5202AB8E084796125F2B52F1D800E48097E28FF8109C6E77E4961DE36E7241655074835249D46A31393944F2B53E16C5A9452F01C3D1AD2081CFE3976BA6CEFCA4C7D6761CADA3AC275F59A61E81CF13A9B27E73AFDD88A242779A5CB7E1898409C98A5288DDDD3003812DA786AB9FFF0CFB3EF4497ED8892F035D28A10B67B5B329D8FB8614854D7794BEFFD4874BC4D7113288DAC28C83E6AC2F426F9D06B3989827F09CDAFF36F64B38720D78CAFED096FC4197DCF2FBA2850F140732E9EA95B9716784FA98B15DA00A4E20F3F31C97EEC36C4583EB4CA5157C308BA4FE003A9FF483356D93F9090D2E7C7BC2D37008D290C642C199CCD5698A13414917BBAA907BA97864E45026B63376912EC991915E17B33CF4208F454EC52EDADFE4F5CC74F39690E31EA01BD6CF3D1E81DE49D6BF718C2639F0DC06C74E33273580A98E27B957995411CD6EE7EF5D101462578EDDD57F9C8626B08C5F5CD895E7C9BA7CA3E97C32CF01C101CC6E1941589761D69E04E10DEFEC782E75A21131DDF69F005C6761F7504D882277CEF9858A47D825063042F5C3F987DE86E5E49C75FFDE076DF482F86083028
$krb5tgs$18$*roastme$windomain.local$*roast/[email protected]*$106A2393690E08F57A2601EC$6ECBFD095BEB88D27E00DED937A62CA8F10C3A38EEA48181C55B13ED1266DEC59DEFB17099D08B116C2616F3D4A9D1A67208DA8CE6A1F25269E42A375799071D73E1BC7C87A74E2B011EDE72BB9487A4B41A256972174E4308479E3B7B852F3C86CEE161093200A45530294292033BDC2ADE9C0A48B23371ED4A28495E89FBBEE337013974955227AB85CC050AF81666ABEFC3A4E946CCC6C6183ECAB72A12F57365F0315AD8EDFAB4DD095D5156A49F38C7EDDBAFC85DB04E183208A0593858EEEEC75A406272B5B5FB9050A87403A9A651A56A6999CB7BC26EECAF6489487DAA1B64008EEA29F0248D676874555E52D220274A55583303FD1DC05A582A6BFA308D8A9BBB85D26569417D3AD493EB671AF8E812814DCDFD610D8EE82A7E7F832D5B9436D89D0F1715ACCFEEAFD094D1E52168D410244CDEEF60D0BF418BFACFE38891855C29FEC723F02A94051108DC995B534C18DF840DB2ABCD8077BB7ECBE4FAE176172FCD507FAE5FB72CEC2A77B19997EB45BDE0B89706AD5C077B71A9F38132451D85B049E59D9D2E2981686A9D05632A8BC6552AA570CC5650D30B59BA81FA37AA45789EB2EB1FD0BF8EFA5F61AC47800CC014F912761E811BCD84AE5579AADA92E95651DD78BEA2AB3D39E64E10707B819092C9C4A753B6B52B8450A269BD6FBB8967B2279E99E109FD6ACB4469EBCA1DEA36FEDE53B877EFED5E96BBC3A25CA261304BF1EB8BE7DE1DD2C0E3A6162963E5D79E0A80879B563D087EE4C4822BA5EC35E25F32D4339E9C9E281439B65F64F58354FC8E5C49A358F0015040B52B2422392D7DCB737950D5A6293D60F11213499EBBBD308E07B1986C2AC95EDA3BCAE41C978952D99EDF3F6D1E89281110F135878206F8BB6B39C983EAD5202AB8E084796125F2B52F1D800E48097E28FF8109C6E77E4961DE36E7241655074835249D46A31393944F2B53E16C5A9452F01C3D1AD2081CFE3976BA6CEFCA4C7D6761CADA3AC275F59A61E81CF13A9B27E73AFDD88A242779A5CB7E1898409C98A5288DDDD3003812DA786AB9FFF0CFB3EF4497ED8892F035D28A10B67B5B329D8FB8614854D7794BEFFD4874BC4D7113288DAC28C83E6AC2F426F9D06B3989827F09CDAFF36F64B38720D78CAFED096FC4197DCF2FBA2850F140732E9EA95B9716784FA98B15DA00A4E20F3F31C97EEC36C4583EB4CA5157C308BA4FE003A9FF483356D93F9090D2E7C7BC2D37008D290C642C199CCD5698A13414917BBAA907BA97864E45026B63376912EC991915E17B33CF4208F454EC52EDADFE4F5CC74F39690E31EA01BD6CF3D1E81DE49D6BF718C2639F0DC06C74E33273580A98E27B957995411CD6EE7EF5D101462578EDDD57F9C8626B08C5F5CD895E7C9BA7CA3E97C32CF01C101CC6E1941589761D69E04E10DEFEC782E75A21131DDF69F005C6761F7504D882277CEF9858A47D825063042F5C3F987DE86E5E49C75FFDE076DF482F86083028

[CCob]

Rubeus makes some assumptions regarding the Kerberos salt. If the salt doesn't match the salt stored in AD it will fail to crack. Easy way to see the salt for the account is to issue and asktgt with the /opsec flag

[trietend]

We also faced this issue using impacket (see fortra/impacket#1772 and fortra/impacket#1773).
Using the upn instead of the sAMAccountName gives better results. The upn used on the creation will be stored as the salt, even if the upn was changed afterwards.