You can do some debugging with unit tests. So hashcat is not involved at all.
Patch with this:
And then paste the hash into a file, call it "hash".
Paste it again in another file "crack", and in the second, add a colon and the password to the end of the hash line.
Then you can do this:
You can see, there's no ASN.1 structure at all, looks like very high entropy, probably some bad decrypt.
Here's a hash from JtR:
Password is: Passw0rd
Debug looks like this then:
Difference should be clear to see. That's all we do in hashcat. Everything else you need to discuss with Kerberoasting developers.
Patch with this:
Code:
diff --git a/tools/test_modules/m13100.pm b/tools/test_modules/m13100.pm
index 85f72f07a..4c3faa5b1 100644
--- a/tools/test_modules/m13100.pm
+++ b/tools/test_modules/m13100.pm
@@ -57,6 +57,8 @@ sub module_generate_hash
my $ticket_decrypt = unpack ("H*", $cipher_decrypt->RC4 (pack ("H*", $edata2)));
+print "$ticket_decrypt\n";
+
my $check_correct = ((substr ($ticket_decrypt, 16, 4) eq "6381" && substr ($ticket_decrypt, 22, 2) eq "30") ||
(substr ($ticket_decrypt, 16, 4) eq "6382")) &&
((substr ($ticket_decrypt, 32, 6) eq "030500") ||And then paste the hash into a file, call it "hash".
Paste it again in another file "crack", and in the second, add a colon and the password to the end of the hash line.
Then you can do this:
Quote:$ tools/test.pl verify 13100 hash crack x
6b9d0a32ea529d6510e5127399f3c0177586b7d2d64c25d8d616c2fa6c080ce59c4c1bb1a21ccc8187bc8e0f6de89fdcdcb0bfadd147e038acd764835d793ef57017fab552557fef8a2bab3580bd4532cce0cfeacc97e848e31bfdc9df3f5e9939d51dafe6df43fd71ec2591351f4fb839df87389a248377ce253f6d88d3ae5ee77f743667f6396b514fdd67eb0cb7d2ebdfdb6c0dff00b93baeb1f2c5f970b9741eae51e4b1e499e788f93a24b3ecb23d4e7d330a8f58725f7261f2bf13bb7070c7a5b0783d80aab1df44d3af5957e1856ce2f2c637cebc4d11a3a101e2a4d2b22462c50f1d47e00a046b4105797cda17677bf59506fb3522051ffeef4d91b47bb7ac44222c0cfaac336a52048a8028d2d22f85635c7114cdce43eca210e7042fb68d013da4520e736513cb455384df7b5fd03f94b3b43c5a974be3c0719ab3f7a71fae5f0e8b26293538255e1c54247ab672416ec9b10561147494e430404035cc9838e6541fdd77370b6bad933737d8685147c66aeb633a648cec3f38123609432b9f9ec3e25e2cda3b6f30431bc36a48d582707d3647d47dcd4f6c5ded226145d45d966c868447510fd1a1b95f523c4f4e25c3ed717f411d3d323444bf1d1d8045698e181588ddb8ef4b1d4a7e6b3229d1bad9e1d67183128995aface87161e55055d7403dc1ae2f574fd3eafcaf8dd0d9d7d8136c8841c1b02388c1657ed2dff5a68e9687209f883960d416c24faa25dd5e98167ed7b86f7082b2bf28f86918407a5b22c4c972be40e595757f82c9094a9dc42b7681adbca8c57a51ecaefecc602e7d712e04767ac7050ca5069ff3a39f8bef6564553970711bd98c3661411f29d7a5b850ef5d843e30e50ebf54ea10b467fdb10f5ae31828890f8081516eb970a670267a1ffad5f052c585e9b97c22c895ae3d557bfee6e04c451b0da9106bc26156a6338fe7f2ed86b42e29ea79148f0f82a373db1fac3418fd8353f0d189fbde4292cbd471215b3f04a93e5ce7c7f9f4478190c12694750f4ac835950928e20b62562e8ed873217b2ab3bcec937ce52ad6de6dc40cda0515a145e5878753f4a4dad652714debc03accf17f1d92b3ef5b3dff510240a5443a81c6581c992705ee84fe18e82b4b37f6740fd54fca959bdd5c869de5933e3dbc3f38020a1156f0ce4f2a090821ad4818aac61f62935f73c45cc1838970d534b5fe645c2f108b5ac6c2ed45a54d71c0970a55f62f55d0abf5e0a10c2ea4da55736591437090bcd419b11985aac63413df97e567c30fcd1aabb32ed5e1d192d295fa54e891dc39fe74426f8fdaa26d81bb796be7279e5b2c46788463e9c2ba143c1e5d52265a96d79fdd39d073b3225d19f0f9b134f0732abe5a3a965943e439e1c5b32e792c16e126aabdc328581b39e4f186935c78c98ff2e3d4e4a1a2418af8
You can see, there's no ASN.1 structure at all, looks like very high entropy, probably some bad decrypt.
Here's a hash from JtR:
Quote:$krb5tgs$23$*iis_svc$LAB.LOCAL$HTTP/iis.lab.local*$0f6fc474db169aa8ce9b5e626daacc9d$1a346ce3f66c52976f53831aa24a1b217cdf0d68a0eb87fee00cfd32f544bf83ebb6416732522b12232dd6935eac076b439f56e6cb7fa6c37d984d132e2d2cb65ca399cd5e44eb2eb41f12c40f9044b40e3ea914278c8a3098babacf49ab46e776d1413ef63abcdf6418d2db9241b2fdd9309346ec59af20a82fd6daea9510c1dfd1a9e8d99c59ff72e985057ba0d18394b0a7cb1bd74f8d436a3dd780175a0c6bcad9e46570a476ab9913b561ee481ad8c33a3c81ced055e959f08a52eba7a342f53183e1531be8ec2d28c7ecfa32f98dbc7ff87b4e5c79824f3868d38ce09010960726d58cfbfc88c9d34ab199169f39010aa4aab92b6ea40f875963d518311b3f079d97b65fe9768c9a4ee50f7c16d525fdc081ce359a0b0fe5fb18d8d8690d8f88b010bef4f28dc151a4137272ae9eaca9053406c0ddeae453196e3b6c28b8359724bfc089b772cbae093bf88abc070d12b0ff2e721d7b8b10b822bfb514091effaf3f5fa8c286a9e45bf76ba171e6cabeb3ddadc297185c51a295855b8cfa8062bd6770093355c32690fd184d6eae2b66ea1f553cbc7679681db5089fdb23329efe59de807e657a98ccc0c2d95eaac9f363d5b8c9b8a23aab680c328b019ae99440a5d8795014be22f6739a4f77874e94196f010c012f9a4a587570c38874ad7f8b9ec554fb865752a5f3dd4f785c9af54031100ce580dfadf4c70ff11839647fc288fce8d00bbcb680e02a46230ecb0530ba1771fb8485ba17f5218852c5cdfc769b89d77b37802cc6d22e6ba944f6e4b565d8d04418c44bf10e06294fd58913ca6d206bb6e46f15b3abfc09695f5fbab81d2e743ac19b24716d9d6cb6bae65674f5cdf1935d1413a4be6d96eafaf65cfa361decc0ab1e12998b5c26b6ad38c8077fd149cdeda227c4c68f19fbf22b23e7e84581a64a413c1c983e01b56c2000656b4aad8c67260fc0142eeccd96d624fa284b619d11e797af2d730a5998d9e6d9f4fef58a847d7d9b804be2925beae627a0a9f335072f97f214a24db58cf5e2e74f0eeff1a43f1ec1b88c0110f3c2abaac0d3e954a42b550c37cf84babe6e85ec4e0885eb8309a4c5e2a1bb473b332ff5c31c0b4c32db507c1eca5b7ae607d2423ee1e7f07361229e0ab2678cfbd07afffc5e989c5ab1821ac2f524083258d3f0ca7e7f8250be3f7cc72cf636b098a3c9b3f4e289fd81a9b3c33bfa63ed8813bbc12205134add9fb8548312b734c921a2cf8a1687af7ee022b0f57bbf0f8d8f17952614cb288b95df3fe4f03d20b83227328603dafb264537eb0cacda18de21aa99e07600030424edb41fc3c8161238971bf62af99db8e2d438af06f9d8feeff3edb6a4d4f0a6fb5dfdbe99b1ed454d6ff3dc508c45ed430923212a088e6200b2076da509888edd32fca946a215c8934db7a3b5ac6bed10e4a114f2f132608dbe236cba73cbcffc024fb500e96c3d766ca7f4083ded3666c2b7dcd290f65f7e80ff70fa575777a845fbf7af05b38dfb1ccd7accc0398f8dbf532e28dc6bc0ec49d18f2753caec5912693a0b6050f2bfce72f5160847dcfc78d580609007ddbdf1f338c61c13e7b62fcec6e51d1c0cd1ec0167e40042
Password is: Passw0rd
Debug looks like this then:
Quote:$ tools/test.pl verify 13100 hash2 crack2 x
a8befe6392fd0ac86382046d30820469a00703050040a10000a11b3019a003020117a1120410e9f482a47593ef7dec127339673eaefea20b1b094c41422e4c4f43414ca31a3018a003020101a111300f1b0d41646d696e6973747261746f72a40b3009a003020101a1020400a511180f32303137303932373230353534345aa611180f32303137303932373230353534345aa711180f32303137303932383036353534345aa811180f32303137313030343230353534345aaa8203bd308203b93082034ba003020101a18203420482033e3082033a30820336a00402020080a182032c048203280500000000000000010000002002000058000000000000000a0000002400000078020000000000000c00000058000000a0020000000000000600000014000000f8020000000000000700000014000000100300000000000001100800cccccccc100200000000000000000200fd0c7aeeca37d301ffffffffffffff7fffffffffffffff7f3829eb1b0837d30138e95446d137d30138a944110958d3011a001a00040002000000000008000200000000000c0002000000000010000200000000001400020000000000180002001f000000f401000001020000050000001c00020020020000000000000000000000000000000000001e0020002000020006000800240002002800020000000000000000001000000000000000000000000000000000000000000000000000000000000000010000002c0002003400020001000000380002000d000000000000000d000000410064006d0069006e006900730074007200610074006f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000000102000007000000000200000700000008020000070000000702000007000000060200000700000010000000000000000f000000570049004e002d004300390032004200380041004500310034004b00460000000400000000000000030000004c0041004200000004000000010400000000000515000000b81a926de1f855fbe289199f0100000030000200070000000100000001010000000000120100000004000000010400000000000515000000b81a926de1f855fbe289199f010000003c0200000700002000000000008855fcd237d3011a00410064006d0069006e006900730074007200610074006f007200000000002e001000120040000100000000000000410064006d0069006e006900730074007200610074006f00720040006c00610062002e006c006f00630061006c0000004c00410042002e004c004f00430041004c0000000000000076ffffffdbab0aa23e593d79dae0216c14525b800000000076fffffff828766a315d4bf451708ff550d65562000000003068a003020101a161045f305d303fa0040202008da137043530333031a003020100a12a04280000000000300000acddeb78b50d5eb92c87d5dd5a7505cfc976e7a8f4dbae56f80d4e28aa3c029b301aa0040202008ea1120410101d71fd53020000de7ad40300000000
Difference should be clear to see. That's all we do in hashcat. Everything else you need to discuss with Kerberoasting developers.