Output issue with kerberoast hashes, does not match hashcat format

[evilmog]

Describe the bug
Kerberosoast etype 23, etype 17, and etype 18 do not match the hashcat parser. The hashcat parser expects in this format (example for type 18)

/**
   * $krb5tgs$18$*user*realm*$checksum$edata2
   * $krb5tgs$18$*user*realm*spn*$checksum$edata2
   */

A sanitized example:
$krb5tgs$18$USERNAME$REALM.EXAMPLE$REALM.example/USERNAME$ (bad) vs
$krb5tgs$18$USERNAME$REALM.EXAMPLE$*REALM.example/USERNAME*$ (good)

Notice the * around the SPN, this is required for hashcat parsing, otherwise you get an error in the hashcat parser for all kerberosting modes.

Lines 66, 75, 84, and 93 in nxc/protocols/ldap/kerberos.py show this issue.

To Reproduce
Perform a kerberoast attack against a domain, extract hashes and then try to crack with hashcat, you will get an error

Expected behavior

hashcat.exe --identify 'kerberoasthash here'

The following hash-mode match the structure of your input hash:

      # | Name                                                | Category
  ======+=====================================================+======================================
  19700 | Kerberos 5, etype 18, TGS-REP                       | Network Protocols

this should apply for all 3 kerberoasting hash types

NetExec info

• OS: Kali
• Version of nxc: latest
• Installed from: github

** Details on the parser **
19700 etype 18

"$krb5tgs$18$srv_http$synacktiv.local$16ce51f6eba20c8ee534ff8a$57d07b23643a516834795f0c010da8f549b7e65063e5a367ca9240f9b800adad1734df7e7d5dd8307e785de4f40aacf901df41aa6ce695f8619ec579c1fa57ee93661cf402aeef4e3a42e7e3477645d52c09dc72feade03512dffe0df517344f673c63532b790c242cc1d50f4b4b34976cb6e08ab325b3aefb2684262a5ee9faacb14d059754f50553be5bfa5c4c51e833ff2b6ac02c6e5d4c4eb193e27d7dde301bd1ddf480e5e282b8c27ef37b136c8f140b56de105b73adeb1de16232fa1ab5c9f6";

19600 etype 17

"$krb5pa$18$hashcat$HASHCATDOMAIN.COM$96c289009b05181bfd32062962740b1b1ce5f74eb12e0266cde74e81094661addab08c0c1a178882c91a0ed89ae4e0e68d2820b9cce69770";

13100 etype 23

$krb5tgs$23$*user$realm$test/spn*$b548e10f5694ae018d7ad63c257af7dc$35e8e45658860bc31a859b41a08989265f4ef8afd75652ab4d7a30ef151bf6350d879ae189a8cb769e01fa573c6315232b37e4bcad9105520640a781e5fd85c09615e78267e494f433f067cc6958200a82f70627ce0eebc2ac445729c2a8a0255dc3ede2c4973d2d93ac8c1a56b26444df300cb93045d05ff2326affaa3ae97f5cd866c14b78a459f0933a550e0b6507bf8af27c2391ef69fbdd649dd059a4b9ae2440edd96c82479645ccdb06bae0eead3b7f639178a90cf24d9a";

[NeffIsBack]

Thanks for the bug report!

[Marshall-Hallenbeck]

@evilmog what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt

[evilmog]

The extraction works but it’s not in a format hashcat can process if there’s a domain SPN, whenever you try to crack them with hashcat it will throw a length error as is doesn’t match the hashcat parser. This is why I gave the links to what hashcat expects, The SPN needs be be wrapped in $*SPN*$ not $SPN$, I verified that with the hashcat dev team (note that I am on team hashcat)

…

On Tue, May 14, 2024 at 13:03 Marshall Hallenbeck ***@***.***> wrote: @evilmog <https://github.com/evilmog> what commands are you running? This is working in my lab via nxc ldap $IP -u $USERNAME -p $PASSWORD --kerberoast kerberoast.txt image.png (view on web) <https://github.com/Pennyw0rth/NetExec/assets/1518719/5e5a9748-3525-42c4-bd82-2c52a5d33c0f> image.png (view on web) <https://github.com/Pennyw0rth/NetExec/assets/1518719/7c1488eb-29a4-4120-b574-6a8f38a068bd> — Reply to this email directly, view it on GitHub <#301 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZBQUUJHGAV5N3JCEJ7ICDZCJNZDAVCNFSM6AAAAABHVBJDCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJQHE2DQOJTHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[mpgn]

Hello @evilmog , i'm a bit suprise by this one, why the hash from @Marshall-Hallenbeck is wrong ?