I know that hashcat is the default, however during some testing I discovered that the John output from Powerview(Dev Branch) is incompatible with the current versions of JtR. This issue also applies to other Invoke-Kerberoast scripts forked from harmj0y original work.
Currently this is the JtR output format (taken from line 2475 of powerview.ps1) :
[ # JTR jumbo output format - $krb5tgs$SPN/machine.testlab.local:63386d22d359fe... ]
I know that hashcat is the default, however during some testing I discovered that the John output from Powerview(Dev Branch) is incompatible with the current versions of JtR. This issue also applies to other Invoke-Kerberoast scripts forked from harmj0y original work.
Currently this is the JtR output format (taken from line 2475 of powerview.ps1) : [ # JTR jumbo output format - $krb5tgs$SPN/machine.testlab.local:63386d22d359fe... ]
Found the ultimate fix for the issue to be that the string " $krb5tgs$23$ " needed to be appended after the username but in front of the hash - This issue thread on the JtR github helped: https://github.com/magnumripper/JohnTheRipper/issues/2027#issuecomment-303298908
The JtR output should look something like this: [ # JTR jumbo output format - $krb5tgs$SPN/machine.testlab.local:$krb5tgs$23$63386d22d359fe... ]
Hope this helps anyone else having this problem