Invoke-Kerberoast John output incorrect.

[nterl0k]

I know that hashcat is the default, however during some testing I discovered that the John output from Powerview(Dev Branch) is incompatible with the current versions of JtR. This issue also applies to other Invoke-Kerberoast scripts forked from harmj0y original work.

Currently this is the JtR output format (taken from line 2475 of powerview.ps1) : [ # JTR jumbo output format - $krb5tgs$SPN/machine.testlab.local:63386d22d359fe... ]

Found the ultimate fix for the issue to be that the string " $krb5tgs$23$ " needed to be appended after the username but in front of the hash - This issue thread on the JtR github helped: https://github.com/magnumripper/JohnTheRipper/issues/2027#issuecomment-303298908

The JtR output should look something like this: [ # JTR jumbo output format - $krb5tgs$SPN/machine.testlab.local:$krb5tgs$23$63386d22d359fe... ]

Hope this helps anyone else having this problem

[ottomoto]

I'm having the same issue

[gothburz]

Invoke-Kerberoast -OutputFormat john | Select-Object -ExpandProperty hash |% {$_.replace(':',':$krb5tgs$23$')}