NetExec
NetExec copied to clipboard
Pennyw0rth
Output issue with kerberoast hashes, does not match hashcat format
Describe the bug Kerberosoast etype 23, etype 17, and etype 18 do not match the hashcat parser. The hashcat parser expects in this format (example for type 18)
/**
* $krb5tgs$18$*user*realm*$checksum$edata2
* $krb5tgs$18$*user*realm*spn*$checksum$edata2
*/
A sanitized example:
$krb5tgs$18$USERNAME$REALM.EXAMPLE$REALM.example/USERNAME$ (bad) vs
$krb5tgs$18$USERNAME$REALM.EXAMPLE$*REALM.example/USERNAME*$ (good)
Notice the * around the SPN, this is required for hashcat parsing, otherwise you get an error in the hashcat parser for all kerberosting modes.
Lines 66, 75, 84, and 93 in nxc/protocols/ldap/kerberos.py show this issue.
To Reproduce Perform a kerberoast attack against a domain, extract hashes and then try to crack with hashcat, you will get an error
Expected behavior
hashcat.exe --identify 'kerberoasthash here'
The following hash-mode match the structure of your input hash:
# | Name | Category
======+=====================================================+======================================
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocols
this should apply for all 3 kerberoasting hash types
NetExec info
- OS: Kali
- Version of nxc: latest
- Installed from: github
** Details on the parser ** 19700 etype 18
"$krb5tgs$18$srv_http$synacktiv.local$16ce51f6eba20c8ee534ff8a$57d07b23643a516834795f0c010da8f549b7e65063e5a367ca9240f9b800adad1734df7e7d5dd8307e785de4f40aacf901df41aa6ce695f8619ec579c1fa57ee93661cf402aeef4e3a42e7e3477645d52c09dc72feade03512dffe0df517344f673c63532b790c242cc1d50f4b4b34976cb6e08ab325b3aefb2684262a5ee9faacb14d059754f50553be5bfa5c4c51e833ff2b6ac02c6e5d4c4eb193e27d7dde301bd1ddf480e5e282b8c27ef37b136c8f140b56de105b73adeb1de16232fa1ab5c9f6";
"$krb5pa$18$hashcat$HASHCATDOMAIN.COM$96c289009b05181bfd32062962740b1b1ce5f74eb12e0266cde74e81094661addab08c0c1a178882c91a0ed89ae4e0e68d2820b9cce69770";
$krb5tgs$23$*user$realm$test/spn*$b548e10f5694ae018d7ad63c257af7dc$35e8e45658860bc31a859b41a08989265f4ef8afd75652ab4d7a30ef151bf6350d879ae189a8cb769e01fa573c6315232b37e4bcad9105520640a781e5fd85c09615e78267e494f433f067cc6958200a82f70627ce0eebc2ac445729c2a8a0255dc3ede2c4973d2d93ac8c1a56b26444df300cb93045d05ff2326affaa3ae97f5cd866c14b78a459f0933a550e0b6507bf8af27c2391ef69fbdd649dd059a4b9ae2440edd96c82479645ccdb06bae0eead3b7f639178a90cf24d9a";
@evilmog what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt
The extraction works but it’s not in a format hashcat can process if there’s a domain SPN, whenever you try to crack them with hashcat it will throw a length error as is doesn’t match the hashcat parser.
This is why I gave the links to what hashcat expects,
The SPN needs be be wrapped in $SPN$ not $SPN$, I verified that with the hashcat dev team (note that I am on team hashcat)
On Tue, May 14, 2024 at 13:03 Marshall Hallenbeck @.***> wrote:
@evilmog https://github.com/evilmog what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt
image.png (view on web) https://github.com/Pennyw0rth/NetExec/assets/1518719/5e5a9748-3525-42c4-bd82-2c52a5d33c0f
image.png (view on web) https://github.com/Pennyw0rth/NetExec/assets/1518719/7c1488eb-29a4-4120-b574-6a8f38a068bd
— Reply to this email directly, view it on GitHub https://github.com/Pennyw0rth/NetExec/issues/301#issuecomment-2110948938, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZBQUUJHGAV5N3JCEJ7ICDZCJNZDAVCNFSM6AAAAABHVBJDCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHE2DQOJTHA . You are receiving this because you were mentioned.Message ID: @.***>
Hello @evilmog , i'm a bit suprise by this one, why the hash from @Marshall-Hallenbeck is wrong ?
