-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Output issue with kerberoast hashes, does not match hashcat format #301
Labels
Comments
Thanks for the bug report! |
@evilmog what commands are you running? This is working in my lab via |
The extraction works but it’s not in a format hashcat can process if
there’s a domain SPN, whenever you try to crack them with hashcat it will
throw a length error as is doesn’t match the hashcat parser.
This is why I gave the links to what hashcat expects,
The SPN needs be be wrapped in $*SPN*$ not $SPN$, I verified that with the
hashcat dev team (note that I am on team hashcat)
…On Tue, May 14, 2024 at 13:03 Marshall Hallenbeck ***@***.***> wrote:
@evilmog <https://github.com/evilmog> what commands are you running? This
is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD
--kerberoast kerberoast.txt
image.png (view on web)
<https://github.com/Pennyw0rth/NetExec/assets/1518719/5e5a9748-3525-42c4-bd82-2c52a5d33c0f>
image.png (view on web)
<https://github.com/Pennyw0rth/NetExec/assets/1518719/7c1488eb-29a4-4120-b574-6a8f38a068bd>
—
Reply to this email directly, view it on GitHub
<#301 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAZBQUUJHGAV5N3JCEJ7ICDZCJNZDAVCNFSM6AAAAABHVBJDCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHE2DQOJTHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hello @evilmog , i'm a bit suprise by this one, why the hash from @Marshall-Hallenbeck is wrong ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Kerberosoast etype 23, etype 17, and etype 18 do not match the hashcat parser. The hashcat parser expects in this format (example for type 18)
A sanitized example:
$krb5tgs$18$USERNAME$REALM.EXAMPLE$REALM.example/USERNAME$
(bad) vs$krb5tgs$18$USERNAME$REALM.EXAMPLE$*REALM.example/USERNAME*$
(good)Notice the * around the SPN, this is required for hashcat parsing, otherwise you get an error in the hashcat parser for all kerberosting modes.
Lines 66, 75, 84, and 93 in
nxc/protocols/ldap/kerberos.py
show this issue.To Reproduce
Perform a kerberoast attack against a domain, extract hashes and then try to crack with hashcat, you will get an error
Expected behavior
this should apply for all 3 kerberoasting hash types
NetExec info
** Details on the parser **
19700 etype 18
19600 etype 17
13100 etype 23
The text was updated successfully, but these errors were encountered: