search

Pennyw0rth / NetExec

The Network Execution Tool
https://netexec.wiki/
BSD 2-Clause "Simplified" License
2.6k stars 268 forks source link

Output issue with kerberoast hashes, does not match hashcat format #301

Open evilmog opened 1 month ago

evilmog commented 1 month ago

Describe the bug Kerberosoast etype 23, etype 17, and etype 18 do not match the hashcat parser. The hashcat parser expects in this format (example for type 18)

/**
   * $krb5tgs$18$*user*realm*$checksum$edata2
   * $krb5tgs$18$*user*realm*spn*$checksum$edata2
   */

A sanitized example: $krb5tgs$18$USERNAME$REALM.EXAMPLE$REALM.example/USERNAME$ (bad) vs $krb5tgs$18$USERNAME$REALM.EXAMPLE$*REALM.example/USERNAME*$ (good)

Notice the * around the SPN, this is required for hashcat parsing, otherwise you get an error in the hashcat parser for all kerberosting modes.

Lines 66, 75, 84, and 93 in nxc/protocols/ldap/kerberos.py show this issue.

To Reproduce Perform a kerberoast attack against a domain, extract hashes and then try to crack with hashcat, you will get an error

Expected behavior

hashcat.exe --identify 'kerberoasthash here'

The following hash-mode match the structure of your input hash:

      # | Name                                                | Category
  ======+=====================================================+======================================
  19700 | Kerberos 5, etype 18, TGS-REP                       | Network Protocols

this should apply for all 3 kerberoasting hash types

NetExec info

19600 etype 17

"$krb5pa$18$hashcat$HASHCATDOMAIN.COM$96c289009b05181bfd32062962740b1b1ce5f74eb12e0266cde74e81094661addab08c0c1a178882c91a0ed89ae4e0e68d2820b9cce69770";

13100 etype 23

$krb5tgs$23$*user$realm$test/spn*$b548e10f5694ae018d7ad63c257af7dc$35e8e45658860bc31a859b41a08989265f4ef8afd75652ab4d7a30ef151bf6350d879ae189a8cb769e01fa573c6315232b37e4bcad9105520640a781e5fd85c09615e78267e494f433f067cc6958200a82f70627ce0eebc2ac445729c2a8a0255dc3ede2c4973d2d93ac8c1a56b26444df300cb93045d05ff2326affaa3ae97f5cd866c14b78a459f0933a550e0b6507bf8af27c2391ef69fbdd649dd059a4b9ae2440edd96c82479645ccdb06bae0eead3b7f639178a90cf24d9a";
NeffIsBack commented 1 month ago

Thanks for the bug report!

Marshall-Hallenbeck commented 1 month ago

@evilmog what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt

image

image

evilmog commented 1 month ago

The extraction works but it’s not in a format hashcat can process if there’s a domain SPN, whenever you try to crack them with hashcat it will throw a length error as is doesn’t match the hashcat parser.

This is why I gave the links to what hashcat expects,

The SPN needs be be wrapped in $SPN$ not $SPN$, I verified that with the hashcat dev team (note that I am on team hashcat)

On Tue, May 14, 2024 at 13:03 Marshall Hallenbeck @.***> wrote:

@evilmog https://github.com/evilmog what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt

image.png (view on web) https://github.com/Pennyw0rth/NetExec/assets/1518719/5e5a9748-3525-42c4-bd82-2c52a5d33c0f

image.png (view on web) https://github.com/Pennyw0rth/NetExec/assets/1518719/7c1488eb-29a4-4120-b574-6a8f38a068bd

— Reply to this email directly, view it on GitHub https://github.com/Pennyw0rth/NetExec/issues/301#issuecomment-2110948938, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZBQUUJHGAV5N3JCEJ7ICDZCJNZDAVCNFSM6AAAAABHVBJDCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHE2DQOJTHA . You are receiving this because you were mentioned.Message ID: @.***>

mpgn commented 1 month ago

Hello @evilmog , i'm a bit suprise by this one, why the hash from @Marshall-Hallenbeck is wrong ?