Kerberoasting-Attack / NTLM Hash cracking
#1
Hi all,

I just performed a few Kerberoasting Attacks in a lab and extracted the following RC4-HMAC Hash:

Code:
$krb5tgs$23$*svc_sql$kirk.enterprises$MSSQLSvc/SECOPS-LAB1-ADC.kirk.enterprises:1433*$848EFFF61328D62539D58DF4D72BD175$53003E72E7942CB4EE184F12CDBA9716E5319B1B369339CE568A8EDA23C0AC9DA1E0DE3F73CB446749CBF3133387A982EF3D5DFC0420F88F8E3D12C91C29F587CC3C85E916B9118273D6D5A686256F4780D87FFB7271FA137EE6F18E6B7938C1740F6229E19D72C98C156CEEB4A42E665E9A0438B70107C8219906F034CE0C376BFB83F15D56E7DFC590E089DD221F88F3E11A6E27DC850776A820D5D9BB8B86F306A21381545287FA9987081EA25941ABB4F275AD23497E489ED0D77CCED64A66B15DBEEB7F3673E7134E89801C4651E07A21E38B07D002A49EA36E9BD22721524BABB46415441B04DF19EC0844889BD04C4819782E898FBDC1A10307590949B4FB66CE1C94D673B326DDFDBF9D1E3D23E5842648D01C4A220F3279AF44215EF42A9D731E18DF2D5226AC1747A99369D3A50A75E586519B3D28D975B3F8197447E26FA194F7C8C01BA88E9D6D8104BF01863F3B2F44E7C93DF5AECE9A6E07FD062C3D935BD29C1A9D485504AAC713FC1BDBA506D7CDEABB1E47E006D13B58AB6F1CF7042C1CA95CDF9083122224353D2F621C66127B645CD03130FC4B06920580147511E980DBBE7053ACBA3232F6458C3F3D274B5A76E432BF2C3FFAB025155C83C37F7A7CC486DAA6912E77C232A453BBFCEE99CC7745686831321EEAEE04DD2F1C0DAB453D67F9AB455FE6A0986A9E0009D901F4C4A546ED6A47A6C9454784A8A170CEA79A2D7B6BA0D930458E74E14351CBE74ECCFE888BA38929ACCE1230F25FBA36BC6F7C57E53F2CC994653411DEB8AD5B6F4C8422D85CF50E0B81E320300C5AE0B8F3E38C8AA57B8615D2AD258F9F099A8E0AEDDFC6F22004C82368EC1F927C0437BE4031DDAA1D5221D4313EC2D896F123F0DF06CCA0859E26F6AB5DC6391889D2EAF315039642840F40932B7B93022DDF9AA55E69A2B43B8185B91501500A68EEEA9BE8D1D9D5024765429C52CBA5427998981C466C5FB0F1BE8DD0F389413A31A1FEE59C2A92042796BE5DE2F0B5887D592ED80CD6FEF0E3B76A443C3BA2DBCE36187DEC891C41E8138494E655F79EB8FFEAAE38BC5621146086FA87BB161BD801CC389A5094DB772F91D6D41417FD59CE924C4D8DFC6FB3D7B0C3EB1DA3C02E9878BCD57076780C91D3741A9414BA9611B8E58B8FCBDB1DD2A59466BCEA8FF967C413400DC0E0DC694AC4EB180D4C49C50FDFCFBD8A6C27DA4775BD25A48BDED87F0DC65479A9834DDDB81291711F586AE5C0086FC3ABBAA80299A1D77532D7F9D7C588773B73534E5DFEE523CC875774B2397A74DBCE5F1247CC5463986F6404E09C0ED1DCB6E936CA2C7424D09E76F420CD6B237231507D09E5B43936EC974E1FD46BA9735058DD69344E37741491B1A0C63C73F1FA772C97455B0A7680E9CB32A3FDD886E2330851E6203BACC24E5729CA0BAA4C7ABCB84E6C974897F9D108A129B9431E3249C1D2AC7DC111951CD676E13081FC807F43E9E75CC9D0CF3707F6C08661523BA35F340F5295475F6842

The password is a random 12 char with lower case, upper case and special chars. I played arround with hashcat on a VM with 4 Tesla K80 and did not manage to bruteforce the password:
  • First try with 
    Code:
    hashcat -m 13100 hash.txt -o result.txt -O -w 3 -a 3
    did not result in a successful exfiltration of the password after 5d
  • Second try with 
    Code:
    hashcat -m 13100 hash.txt -o result.txt -O -w 3 -a 3 -i -incremental-min=12 -incremental-max=12
    showed that the password will be cracked after 177 yrs
Is there any way to optimizie the bruteforce process for random passwords? And: is it possible to extratct the NLTM hash only without cracking the password? Extracting the NTLM hash will be sufficient to perform "pass the hash"-attacks.


Thanks guys!
Tobi
Reply


Messages In This Thread
Kerberoasting-Attack / NTLM Hash cracking - by SailingTobi - 08-04-2019, 06:15 PM