+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Kerberoasting-Attack / NTLM Hash cracking (/thread-8531.html)
Kerberoasting-Attack / NTLM Hash cracking - SailingTobi - 08-04-2019
Hi all,
I just performed a few Kerberoasting Attacks in a lab and extracted the following RC4-HMAC Hash:
Code:
$krb5tgs$23$*svc_sql$kirk.enterprises$MSSQLSvc/SECOPS-LAB1-ADC.kirk.enterprises:1433*$848EFFF61328D62539D58DF4D72BD175$53003E72E7942CB4EE184F12CDBA9716E5319B1B369339CE568A8EDA23C0AC9DA1E0DE3F73CB446749CBF3133387A982EF3D5DFC0420F88F8E3D12C91C29F587CC3C85E916B9118273D6D5A686256F4780D87FFB7271FA137EE6F18E6B7938C1740F6229E19D72C98C156CEEB4A42E665E9A0438B70107C8219906F034CE0C376BFB83F15D56E7DFC590E089DD221F88F3E11A6E27DC850776A820D5D9BB8B86F306A21381545287FA9987081EA25941ABB4F275AD23497E489ED0D77CCED64A66B15DBEEB7F3673E7134E89801C4651E07A21E38B07D002A49EA36E9BD22721524BABB46415441B04DF19EC0844889BD04C4819782E898FBDC1A10307590949B4FB66CE1C94D673B326DDFDBF9D1E3D23E5842648D01C4A220F3279AF44215EF42A9D731E18DF2D5226AC1747A99369D3A50A75E586519B3D28D975B3F8197447E26FA194F7C8C01BA88E9D6D8104BF01863F3B2F44E7C93DF5AECE9A6E07FD062C3D935BD29C1A9D485504AAC713FC1BDBA506D7CDEABB1E47E006D13B58AB6F1CF7042C1CA95CDF9083122224353D2F621C66127B645CD03130FC4B06920580147511E980DBBE7053ACBA3232F6458C3F3D274B5A76E432BF2C3FFAB025155C83C37F7A7CC486DAA6912E77C232A453BBFCEE99CC7745686831321EEAEE04DD2F1C0DAB453D67F9AB455FE6A0986A9E0009D901F4C4A546ED6A47A6C9454784A8A170CEA79A2D7B6BA0D930458E74E14351CBE74ECCFE888BA38929ACCE1230F25FBA36BC6F7C57E53F2CC994653411DEB8AD5B6F4C8422D85CF50E0B81E320300C5AE0B8F3E38C8AA57B8615D2AD258F9F099A8E0AEDDFC6F22004C82368EC1F927C0437BE4031DDAA1D5221D4313EC2D896F123F0DF06CCA0859E26F6AB5DC6391889D2EAF315039642840F40932B7B93022DDF9AA55E69A2B43B8185B91501500A68EEEA9BE8D1D9D5024765429C52CBA5427998981C466C5FB0F1BE8DD0F389413A31A1FEE59C2A92042796BE5DE2F0B5887D592ED80CD6FEF0E3B76A443C3BA2DBCE36187DEC891C41E8138494E655F79EB8FFEAAE38BC5621146086FA87BB161BD801CC389A5094DB772F91D6D41417FD59CE924C4D8DFC6FB3D7B0C3EB1DA3C02E9878BCD57076780C91D3741A9414BA9611B8E58B8FCBDB1DD2A59466BCEA8FF967C413400DC0E0DC694AC4EB180D4C49C50FDFCFBD8A6C27DA4775BD25A48BDED87F0DC65479A9834DDDB81291711F586AE5C0086FC3ABBAA80299A1D77532D7F9D7C588773B73534E5DFEE523CC875774B2397A74DBCE5F1247CC5463986F6404E09C0ED1DCB6E936CA2C7424D09E76F420CD6B237231507D09E5B43936EC974E1FD46BA9735058DD69344E37741491B1A0C63C73F1FA772C97455B0A7680E9CB32A3FDD886E2330851E6203BACC24E5729CA0BAA4C7ABCB84E6C974897F9D108A129B9431E3249C1D2AC7DC111951CD676E13081FC807F43E9E75CC9D0CF3707F6C08661523BA35F340F5295475F6842The password is a random 12 char with lower case, upper case and special chars. I played arround with hashcat on a VM with 4 Tesla K80 and did not manage to bruteforce the password:
- First try with did not result in a successful exfiltration of the password after 5dCode:
hashcat -m 13100 hash.txt -o result.txt -O -w 3 -a 3
- Second try with showed that the password will be cracked after 177 yrsCode:
hashcat -m 13100 hash.txt -o result.txt -O -w 3 -a 3 -i -incremental-min=12 -incremental-max=12
Thanks guys!
Tobi
RE: Kerberoasting-Attack / NTLM Hash cracking - royce - 08-04-2019
If you know for a fact that it's *truly* 12 random characters... then it's not crackable in a reasonable amount of time.
If you do the math:
https://www.wolframalpha.com/input/?i=(26%2B26%2B34)%5E12
... it should be immediately clear why.
RE: Kerberoasting-Attack / NTLM Hash cracking - Mem5 - 08-04-2019
Moreoever, why Tesla K80 ? GTX 2080 Ti are about 10x faster.
I'm not kerberos expert but I don't think you can 'extract' NTLM hash from a $krb5tgs hash.
RE: Kerberoasting-Attack / NTLM Hash cracking - SailingTobi - 08-04-2019
(08-04-2019, 08:12 PM)royce Wrote: If you know for a fact that it's *truly* 12 random characters... then it's not crackable in a reasonable amount of time.
If you do the math:
https://www.wolframalpha.com/input/?i=(26%2B26%2B34)%5E12
... it should be immediately clear why.
Thank you. I see the point, but how do you define "truly" random? I assume passwords generated by a browser password plugin are not truly random. But: how do you crack them, if you won't invest a huge effort? If there is no (easy) way, why would you use passwords with > 16 chars? (e.g. https://malicious.link/post/2017/05-06-2017-password-magic-numbers/)
(08-04-2019, 11:08 PM)Mem5 Wrote: Moreoever, why Tesla K80 ? GTX 2080 Ti are about 10x faster.I have > 5k USD free credit with azure for testing purposes :-)
I'm not kerberos expert but I don't think you can 'extract' NTLM hash from a $krb5tgs hash.
OK, thanks for your feedback!
RE: Kerberoasting-Attack / NTLM Hash cracking - Mem5 - 08-05-2019
(08-04-2019, 11:51 PM)SailingTobi Wrote: how do you define "truly" random? I assume passwords generated by a browser password plugin are not truly random.They are random, but predictible.
Are you talking about Dashlane? If yes, the default password is 12 characters using 'just' letters and digits (no symbols).
So hashcat mask would be ?u?l?d.
New equation would be : https://www.wolframalpha.com/input/?i=(26%2B26%2B10)%5E12 still huge..
RE: Kerberoasting-Attack / NTLM Hash cracking - SailingTobi - 08-05-2019
(08-05-2019, 09:00 AM)Mem5 Wrote:(08-04-2019, 11:51 PM)SailingTobi Wrote: how do you define "truly" random? I assume passwords generated by a browser password plugin are not truly random.They are random, but predictible.
Are you talking about Dashlane? If yes, the default password is 12 characters using 'just' letters and digits (no symbols).
So hashcat mask would be ?u?l?d.
New equation would be : https://www.wolframalpha.com/input/?i=(26%2B26%2B10)%5E12 still huge..
Thanks for your reply. I just Passbolt in my lab. Cracking 8 char "random" passwords did work well.