Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAN4B415EoOgS55SzuH42SZaxBPEm4HKy2M8f7cdQG_OJgtiJhQ@mail.gmail.com>
Date: Fri, 24 Feb 2017 19:17:02 +0100
From: Luis Rocha <luiscrocha@...il.com>
To: john-users@...ts.openwall.com
Subject: Cracking Kerberos tickets obtained using Kerberoasting technique

Hi,

I was trying to use JtR to obtain a user password by cracking a Kerberos
Ticket that was obtained using the Kerberoasting technique. I saw that the
last version from JtR has the following formats:
$ ./john --list:formats | grep krb5tgs
keyring, keystore, known_hosts, krb4, krb5, krb5pa-sha1, krb5tgs, krb5-18,

and I think the Kerberoasting has been implemented with krb5tgs, right?

However, I got the Kerberos ticket using the technique described here:
http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
At the end William Schroeder writes:

"We now have a nice set hash representations of RC4-HMAC AS-REPs, each of
which are encrypted with a user’s password. We should now be able to crack
these offline à la Kerberosting (krb5tgs format in John the Ripper), but
remember that despite using the same algorithm and approach as the existing
TGS-REP format, the message type here is 8 instead of 2.

This unfortunately means that existing plugins won’t work, but luckily for
us, all we have to do is change this line to an 8 instead of a 2, remove
some of the specific TGS ASN.1 speedups, and change the format naming. I
have a included a tweaked version of this krb5_asrep_fmt_plug.c plugin with
the ASREPRoast project. Simply drop it into the source folder for
Magnumripper, run the normal build instructions, and you’d good to go for
cracking the output of ASREPRoast.ps1:"

His modified file is here:
https://github.com/HarmJ0y/ASREPRoast/blob/master/krb5_asrep_fmt_plug.c

So, I was trying to change that line on krb5_asrep_fmt_plug.c but I can't
find this file on JtR src directory. I also can't see the krb5asrep format
which is shown on his print screen of JtR output.

Is anyone able to shed some light on which format should I use against the
below hash?


Here is the hash :

$krb5tgs$MSSQLSvc/W2K8-SQL.ville.com:65498
:0F5394CF9746BC8FF5B090F89971816D$2E86C9139CB881C784377C14ABDBF4058EAEEB19476B0E54DCBD0599C6C349F96513419D80B73DE389890BA1F67E94A1F5D9F29AA36D3CFC86C6B047AFD57173C723388A1F88EC80E2575DEE2A42F5A1C4FC39BE69A303CE12328CE6B6E17CB7660312A93774C48FF972FDB29557C201126AEBFD5F1D0CA116CC9F5A1B7F7A0847486A988663171441D9E0778CEB160FCCD69E194BD6E350CD10F39628414A54629A0E3F170B7BEC339EC4EE89DB0EB558AD4AFD086E0CB90F35B596FC89D81E4F18D75DBA84246D2B5E446099F80714D88A251C4E1CE31682D2EC754AC0A2FB0BA56C93C075722318F1152041BC0A0EF558EFA1A2B56043DF12596F7F0880643787FDE2DB55A4153C183CDA692B23B4EE796488D04BBD10B91E51A5F2D0753902E95534FD73433D1AD268F5CAA67E2436E7A722451E8BB07E148928F4C8C416151E440FA99C03543BF21C30E5FD299C31CCB91A058B650AA07C89E84545A84A437BB215E68DF7627F90AD1766E6F0CA31858D023376ACF1CF06FACA36E4054ACCEAE001AB5AC96C8BA4E2A6D285CA837A2B9BBAA9ED4A92A27AE285B67F2198F0461697967826A916D2955707BDE3AF57E3C71330E3CEF292C273EF274379AED1D9117C07C245C0054A3BEB4E5DC3A4B960FAE326D5F1A7FA517327C514AB4F33B9C2942F15A0B453FA8226EE6BDD2310DA2DA169724041DD3FCE4BAFF594F37EE6C8D1B62DA27D21E7492FE05E7F2C9E4A0D3A9540B9A50C1FA697C6311F2AF31B6E743F01F499C2ECE315AD74C861F379276B8D8A50C41EEA5CB0B2EAC7F011D759B09D2CF0AECAE519EA5A25FAC4CC726AE56CE76136049256E7375FDB2E3EE60F408E28657872514B63DCFF78BF2840E71D9D318620409F2BA171A6CB8F05B56FA1F0C39FD91284FAA497DF8E1A053160FB48B75F4DDF94C9F67BB6A248CD5008931A5BA5768D51430B0A8F8F43C928D1A693725F4787999322C59FEC3563FDC9BDAE5981F1398A843BF4258433D4F79AD5FEA293926DE05DCB60668D349650E015CE3E17B1860DEA3989BD87F698C5DC9DECE7E4733BA069DFA86E8DDC02E13C6DE02724DD7D6FA48F25984C1666341A61C4008DD66E6A072A278ED6F009A3A3C0A48946B8D7CE7C22E1009CB6D482A7F3B7105990A1770FAE62B2E28281EE5ADE79149A8E8A8EFC77EDFD1308F4BA7F1142F5FA0A73D08EC9A3391CBBFB30C586E001DB0FBDA98D3FDAF6751180674C8C097AED64AD870568FD4EC55CE9AFBDB301954B14115DF691213483825286B4C5F86F5BD71D99AE757E4D8C17420B73A4BF37E8584141C5055DC38CA76C16536E85C5B3E88FBAC95E626391569DE6B0D9DA0CB0BCE65926927FB37F892A059BE16E064EC2FFF275B976540B017F18553756CF3E6F2FE5A08BF8FD8CCA8814EBAE6124FC766BCC93EEB375C19E


Thank you,
Luis

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.