Open evilmog opened 1 month ago
Thanks for the bug report!
@evilmog what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt
The extraction works but it’s not in a format hashcat can process if there’s a domain SPN, whenever you try to crack them with hashcat it will throw a length error as is doesn’t match the hashcat parser.
This is why I gave the links to what hashcat expects,
The SPN needs be be wrapped in $SPN$ not $SPN$, I verified that with the hashcat dev team (note that I am on team hashcat)
On Tue, May 14, 2024 at 13:03 Marshall Hallenbeck @.***> wrote:
@evilmog https://github.com/evilmog what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt
image.png (view on web) https://github.com/Pennyw0rth/NetExec/assets/1518719/5e5a9748-3525-42c4-bd82-2c52a5d33c0f
image.png (view on web) https://github.com/Pennyw0rth/NetExec/assets/1518719/7c1488eb-29a4-4120-b574-6a8f38a068bd
— Reply to this email directly, view it on GitHub https://github.com/Pennyw0rth/NetExec/issues/301#issuecomment-2110948938, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZBQUUJHGAV5N3JCEJ7ICDZCJNZDAVCNFSM6AAAAABHVBJDCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHE2DQOJTHA . You are receiving this because you were mentioned.Message ID: @.***>
Hello @evilmog , i'm a bit suprise by this one, why the hash from @Marshall-Hallenbeck is wrong ?
Describe the bug Kerberosoast etype 23, etype 17, and etype 18 do not match the hashcat parser. The hashcat parser expects in this format (example for type 18)
A sanitized example:
$krb5tgs$18$USERNAME$REALM.EXAMPLE$REALM.example/USERNAME$
(bad) vs$krb5tgs$18$USERNAME$REALM.EXAMPLE$*REALM.example/USERNAME*$
(good)Notice the * around the SPN, this is required for hashcat parsing, otherwise you get an error in the hashcat parser for all kerberosting modes.
Lines 66, 75, 84, and 93 in
nxc/protocols/ldap/kerberos.py
show this issue.To Reproduce Perform a kerberoast attack against a domain, extract hashes and then try to crack with hashcat, you will get an error
Expected behavior
this should apply for all 3 kerberoasting hash types
NetExec info
Installed from: github
Details on the parser 19700 etype 18
19600 etype 17
13100 etype 23