hashcat
advanced password recovery

frustratedcracke · 07-25-2025, 09:14 PM

Hello! Thanks in advance for the help.

Problem as follows:
1. Trying to crack a Kerberos hash gained via Kerberoasting in my Lab using Impackets GetUserSpns.py
2. Unable to crack with hashcat and john the ripper.
3. The hashes password is: Mypassword123#
4. Made sure password is correct on account.
5. Made sure hash is in passwordlist rockyou.txt
6. Checked command syntax and formatting: hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt
7. Hash is stored in krb.txt, was copied from terminal.

8. Tried to mess with the hash format, no luck.
9. Tried all other kerberos hash cracking modes, don't work.
10. Mode 13100 works but simply doesn't crack it.
11. Hashcat is on newest version 6.2.6
12. Tested on second PC fails as well.

Hash (is from my Test Lab non-critical):
$krb5tgs$23$*SQLService$MARVEL.LOCAL$MARVEL.local/SQLService*$f329de6a28f626c996fda73b0945d489$cf91c595bcaf905a03ff05ee6f4f1e5db250516ab6318aa84d3c3ff26ee381f0b79eb8ea6090439c507aedf3ed86880f781bf91265d755556403bacbc9b8b56804818d9de78a0baa05483cf8fdab08c2a563175f316825b9be28239673261abec950fcb2b284312be9b2b56a458fc9c15497503c957d476ca313f179a0b77971f392a9fedfddc4ce5e2df0257a048e3cb17d1d905ef56704d93c2de2111258de569570f6476b357c7ad4fae8a9cc323ad4c1f2ee8963926875fadc6d5cb12347263662586a2c5c96cb413d284f7e9ea40dbc85290e1cb80ebf0f907c92596949b95a4200a0e0ca2d84e5a6fac1b2b548de401c77e8f6340ebb510b1bdc92bf09167aed888968bc3f583f926e1d6a5f4a69eff7da82d30295818c5d3b2e155f5256bd34f4fa8d3ab0507463baa965412e7ccbcb921564ef7af01cc1e04fb6a44a443ba91c503b4c20c65c23b3d60c6c86da015172bc0c0f8f5e868e2f351f564f451a2fa0bb9e1818869fd981756f93fe1288fa8a172176d8b3d909101f06b09f5273fdf8e1e940552c08a95b700f00f05cecf94362d4d3db83813f4743f7202ea6366b24d3da30fbbc9cb80c922d21472bc8071a7146058d7ac116bdf4c651587152e870dcadecdbd8647663cf983b7181fe148c388190f1ce888aecb082f0bd98bc2131743d472d23a9b6a40921fe89359f40aba867ba5ce8aac66e5d0cfae5efcc1f7cfff92bc4b3a6aa4f2eaf9d3d1bce1e954d656782656b40027a40247c0e0cab4417ddadb8041301bb0c721543e891cd67f279b30795781c91c4953e2f0cdfa4fbe5cf9acea0e46e7df611b25efd34c0819aff6c2f98bb53a524ebe4d2141cf741544ccd6400e496058f214392714d3e732b36ba7a4c8d7ba11e12f3d8e1032533b0a6500cc33040f40cbedc82ea52dab3d10972fce1448c36db18caa8238989d83f0668715ea6377eb32facdbbce12b4648c742e674e5c22862155a5b3ac56530cd9c26af95db32db593b3695301e53671373be89e8a7920a6da1d1c0654ed3565f7db24a4cd5b812ae0482f7a769d8e183612f34675c6e70ab6d2ebfd5ac697e33a2c3e8df6396d841d05d3c68b134daf7f0a956f32a6ed1b6202651b191211be9001cdf68d697ccc9f92a0c490ee68df43fd83b4848d7dd2fcf9f067134b53a95d519c619baf0111d7cbc3f07f6d2c08a8cd25b2705eb09b74d5533d6f6e828018ca8162c87be71f682c3ed23164ea7de6d02edddc952c24bae0d66b50b9948f94454182ed7698d649514c270ca2820a4e475bdacb94f185b9cfc1783ae09dd7954b207a52fcc135b8b9a75ebf8023c12607b05fe562cf4fa91efde8d708f5cd6e24b07bd7e51db04416d87cb7085bf71a39439991a8277603859edd2b9d387e0d891a07c45c3445e4658e04898a5ec0ccd1a46f21fbf46

Graphics card:
NIVIDIA GeForce RTX 3060 Ti

Please advise.

frustratedcracke · (This post was last modified: 07-25-2025, 10:15 PM by frustratedcracke.)

Also tried --force -O -S

Hashcat output from:

hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 5800 8-Core Processor, 2913/5890 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?

* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
This can cause your screen to lag.

* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*SQLService$MARVEL.LOCAL$MARVEL.local/S...1ef184
Time.Started.....: Fri Jul 25 23:06:48 2025 (9 secs)
Time.Estimated...: Fri Jul 25 23:06:57 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1642.8 kH/s (0.81ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 72%

Started: Fri Jul 25 23:06:46 2025
Stopped: Fri Jul 25 23:06:58 2025

**Chick3nman** · Yesterday, 12:49 AM

This doesn't look like a hashcat issue, given that you also mentioned you were unable to crack it with JTR.

4. Made sure password is correct on account.

Are you sure that the password is set and the hash should match for that specific SPN? Have you tried capturing the hash a few more times and trying to crack those? Or perhaps changing the password again and recapturing?

frustratedcracke · Yesterday, 11:55 AM

(Yesterday, 12:49 AM)Chick3nman Wrote: This doesn't look like a hashcat issue, given that you also mentioned you were unable to crack it with JTR.

4. Made sure password is correct on account.

Are you sure that the password is set and the hash should match for that specific SPN? Have you tried capturing the hash a few more times and trying to crack those? Or perhaps changing the password again and recapturing?

I just double checked the password is the specified one.
I just tried to change it like you said, then changed it back multiple times, was unable to crack either of the very simple passwords. I also rebooted the domain controller. No dice.

Are you able to crack the above specified hash?

I am Kerberoasting an up to date Windows Server 2022, but that should not affect the hash right?

During Kerberoasting i usually run into the following error:
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

but i was able to fix this with changing to run and then executing:
“timedatectl set-ntp off”, “rdate -n [IP of Domain Controller]".

Then i get the hash and just copy and paste it into a nano-ed .txt:
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------------- ---------- ----------------------------------------------------------- -------------------------- -------------------------- ----------
HYDRA-DC/SQLService.MARVEL.local:60111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=MARVEL,DC=local 2025-07-26 12:42:56.934060 2025-07-26 14:45:15.430006
HYDRA-DC/SQLService.MARVEL.local SQLService CN=Group Policy Creator Owners,OU=Groups,DC=MARVEL,DC=local 2025-07-26 12:42:56.934060 2025-07-26 14:45:15.430006

[-] CCache file is not found. Skipping...
$krb5tgs$23$*SQLService$MARVEL.LOCAL$MARVEL.local/SQLService*$97397eb35bf168a16257e8317e85c5f9$248a5c81613baa004607f1785a25f49ec55c1353604cd47aae782cdf5b549da7c5e47c5083456936cd284d6ff33f57fc00f52f67266534201634c3461f3f024e3edd08bed2a8fca3877472746fa020e5b08be8e7056c244accffb97aafb68b591c19658c3495c7937cd4bd74e22a00fd6e50f5e1a29d8ee345ec4730966eb35e7403190f87905407eb44d88672e4c23b125560aaaa91a5552b6e44829d97348b0799f264e26498b5625b28cd7266ba0090a11b10f515124b47b8aac24ff4f8ab5ed85a7c72144d35ba8575e421e213f6b07d2134381a9e00f70e9d0b07267c4cbe8438caada1199d272f0900877fb4c8be54515d685afcef1571293bb5029f955089ccd84fe2d11a885825383de973b145a3bf7cdd8293481d20911ee770877a5fa590f8badf7cede5f4b90d498d6a7817fb44dbc1558802dbf94b8e8c503f331747fd48354fea13957ab17fec76a623125da67b2e1d18c6e2e2dcbccfe8cda8d82a4d98d512df33c2017c015427c126e4a24c2366bca84c5f82f884e7b7051825e564fe89812f8c64e675d766d025385a947f8cd9a4875a4373133772720c7b5e0b7f97dce14d6254bb862f05e0d8ae0acc8dd844a777cc781581d4aa9f363e4c60ac6921e24a9fa269d9867620ad725742fd28f84871510f55c2bb3741f8c43aca3b098f8ade7b39a551fd7b475d7e9b91262018144f7f58c21a4f711031cfb155e61498ff61aeca454f4d3c25a986f3e9373870b701a4139645e0c8e30226335c013325f82d1732463ac927d991fb62d74813512a6e9e4976ca55e30c742da43e16914c75bb06c83a61b104d3548627374cb1a937d13de6b365b09532bbdf7a6bd41b350ca4d9fb18fb1168fdd397086230c9aa3645c5105931a7e6c4e271f578f6694414671c4ee29da690a9b433afa261cd7689a58cee3fcaff3164085025476c1f5f972b271cf3d54d219051963d673e6bed4ddec4207575fad869fc2545603359decb966b8e89c695e346badc45dccd905370ce4f405faa5b8eb97cd20aef8801d9cd36d3cdc22bfdd1d085d946713756be3d948226205959f52b1760ef914cf3918ec1dfae572bc0c8460a60a46e337da2a542a0566069a5971200140330703736c9cc9e7e5b00e1e774e2192991ab04ac28854ced55190ae7d6c07aaabccfcb2b0bf44cc9e2c96e5ed5f2834de5d7b24abe44e7c6b7f62f1e88a53439d41ff3e744dcd01e08d1f0eb787245502cfe562e24977e3ef148ab8815f4657f78190be1d1b66b04c1f259bb6a5c8139586b8c3d1dbf2a923ed59881e3a53b871f8e26b37d813c48055384336ef137abe90c3f8994d63ad3c688e31c17966335350b7b71d682326d393b6c94ab9a848671f45f7aae6f0b878dc20de5b850b715fb5683027e6836929bc1e5bc3e2af64eb0bb1fffb5773e1db0166a

Thanks for taking the time to answer my Question.
If it is not a hashcat problem, where do you think does the problem lie?

***atom*** · (This post was last modified: Yesterday, 12:45 PM by atom.)

You can do some debugging with unit tests. So hashcat is not involved at all.

Patch with this:

Code:
diff --git a/tools/test_modules/m13100.pm b/tools/test_modules/m13100.pm

index 85f72f07a..4c3faa5b1 100644

--- a/tools/test_modules/m13100.pm

+++ b/tools/test_modules/m13100.pm

@@ -57,6 +57,8 @@ sub module_generate_hash

    my $ticket_decrypt = unpack ("H*", $cipher_decrypt->RC4 (pack ("H*", $edata2)));

+print "$ticket_decrypt\n";

+

    my $check_correct  = ((substr ($ticket_decrypt, 16, 4) eq "6381" && substr ($ticket_decrypt, 22, 2) eq "30") ||

                          (substr ($ticket_decrypt, 16, 4) eq "6382")) &&

                          ((substr ($ticket_decrypt, 32, 6) eq "030500") ||

And then paste the hash into a file, call it "hash".

Paste it again in another file "crack", and in the second, add a colon and the password to the end of the hash line.

Then you can do this:

Quote:$ tools/test.pl verify 13100 hash crack x
6b9d0a32ea529d6510e5127399f3c0177586b7d2d64c25d8d616c2fa6c080ce59c4c1bb1a21ccc8187bc8e0f6de89fdcdcb0bfadd147e038acd764835d793ef57017fab552557fef8a2bab3580bd4532cce0cfeacc97e848e31bfdc9df3f5e9939d51dafe6df43fd71ec2591351f4fb839df87389a248377ce253f6d88d3ae5ee77f743667f6396b514fdd67eb0cb7d2ebdfdb6c0dff00b93baeb1f2c5f970b9741eae51e4b1e499e788f93a24b3ecb23d4e7d330a8f58725f7261f2bf13bb7070c7a5b0783d80aab1df44d3af5957e1856ce2f2c637cebc4d11a3a101e2a4d2b22462c50f1d47e00a046b4105797cda17677bf59506fb3522051ffeef4d91b47bb7ac44222c0cfaac336a52048a8028d2d22f85635c7114cdce43eca210e7042fb68d013da4520e736513cb455384df7b5fd03f94b3b43c5a974be3c0719ab3f7a71fae5f0e8b26293538255e1c54247ab672416ec9b10561147494e430404035cc9838e6541fdd77370b6bad933737d8685147c66aeb633a648cec3f38123609432b9f9ec3e25e2cda3b6f30431bc36a48d582707d3647d47dcd4f6c5ded226145d45d966c868447510fd1a1b95f523c4f4e25c3ed717f411d3d323444bf1d1d8045698e181588ddb8ef4b1d4a7e6b3229d1bad9e1d67183128995aface87161e55055d7403dc1ae2f574fd3eafcaf8dd0d9d7d8136c8841c1b02388c1657ed2dff5a68e9687209f883960d416c24faa25dd5e98167ed7b86f7082b2bf28f86918407a5b22c4c972be40e595757f82c9094a9dc42b7681adbca8c57a51ecaefecc602e7d712e04767ac7050ca5069ff3a39f8bef6564553970711bd98c3661411f29d7a5b850ef5d843e30e50ebf54ea10b467fdb10f5ae31828890f8081516eb970a670267a1ffad5f052c585e9b97c22c895ae3d557bfee6e04c451b0da9106bc26156a6338fe7f2ed86b42e29ea79148f0f82a373db1fac3418fd8353f0d189fbde4292cbd471215b3f04a93e5ce7c7f9f4478190c12694750f4ac835950928e20b62562e8ed873217b2ab3bcec937ce52ad6de6dc40cda0515a145e5878753f4a4dad652714debc03accf17f1d92b3ef5b3dff510240a5443a81c6581c992705ee84fe18e82b4b37f6740fd54fca959bdd5c869de5933e3dbc3f38020a1156f0ce4f2a090821ad4818aac61f62935f73c45cc1838970d534b5fe645c2f108b5ac6c2ed45a54d71c0970a55f62f55d0abf5e0a10c2ea4da55736591437090bcd419b11985aac63413df97e567c30fcd1aabb32ed5e1d192d295fa54e891dc39fe74426f8fdaa26d81bb796be7279e5b2c46788463e9c2ba143c1e5d52265a96d79fdd39d073b3225d19f0f9b134f0732abe5a3a965943e439e1c5b32e792c16e126aabdc328581b39e4f186935c78c98ff2e3d4e4a1a2418af8

You can see, there's no ASN.1 structure at all, looks like very high entropy, probably some bad decrypt.

Here's a hash from JtR:

Quote:$krb5tgs$23$*iis_svc$LAB.LOCAL$HTTP/iis.lab.local*$0f6fc474db169aa8ce9b5e626daacc9d$1a346ce3f66c52976f53831aa24a1b217cdf0d68a0eb87fee00cfd32f544bf83ebb6416732522b12232dd6935eac076b439f56e6cb7fa6c37d984d132e2d2cb65ca399cd5e44eb2eb41f12c40f9044b40e3ea914278c8a3098babacf49ab46e776d1413ef63abcdf6418d2db9241b2fdd9309346ec59af20a82fd6daea9510c1dfd1a9e8d99c59ff72e985057ba0d18394b0a7cb1bd74f8d436a3dd780175a0c6bcad9e46570a476ab9913b561ee481ad8c33a3c81ced055e959f08a52eba7a342f53183e1531be8ec2d28c7ecfa32f98dbc7ff87b4e5c79824f3868d38ce09010960726d58cfbfc88c9d34ab199169f39010aa4aab92b6ea40f875963d518311b3f079d97b65fe9768c9a4ee50f7c16d525fdc081ce359a0b0fe5fb18d8d8690d8f88b010bef4f28dc151a4137272ae9eaca9053406c0ddeae453196e3b6c28b8359724bfc089b772cbae093bf88abc070d12b0ff2e721d7b8b10b822bfb514091effaf3f5fa8c286a9e45bf76ba171e6cabeb3ddadc297185c51a295855b8cfa8062bd6770093355c32690fd184d6eae2b66ea1f553cbc7679681db5089fdb23329efe59de807e657a98ccc0c2d95eaac9f363d5b8c9b8a23aab680c328b019ae99440a5d8795014be22f6739a4f77874e94196f010c012f9a4a587570c38874ad7f8b9ec554fb865752a5f3dd4f785c9af54031100ce580dfadf4c70ff11839647fc288fce8d00bbcb680e02a46230ecb0530ba1771fb8485ba17f5218852c5cdfc769b89d77b37802cc6d22e6ba944f6e4b565d8d04418c44bf10e06294fd58913ca6d206bb6e46f15b3abfc09695f5fbab81d2e743ac19b24716d9d6cb6bae65674f5cdf1935d1413a4be6d96eafaf65cfa361decc0ab1e12998b5c26b6ad38c8077fd149cdeda227c4c68f19fbf22b23e7e84581a64a413c1c983e01b56c2000656b4aad8c67260fc0142eeccd96d624fa284b619d11e797af2d730a5998d9e6d9f4fef58a847d7d9b804be2925beae627a0a9f335072f97f214a24db58cf5e2e74f0eeff1a43f1ec1b88c0110f3c2abaac0d3e954a42b550c37cf84babe6e85ec4e0885eb8309a4c5e2a1bb473b332ff5c31c0b4c32db507c1eca5b7ae607d2423ee1e7f07361229e0ab2678cfbd07afffc5e989c5ab1821ac2f524083258d3f0ca7e7f8250be3f7cc72cf636b098a3c9b3f4e289fd81a9b3c33bfa63ed8813bbc12205134add9fb8548312b734c921a2cf8a1687af7ee022b0f57bbf0f8d8f17952614cb288b95df3fe4f03d20b83227328603dafb264537eb0cacda18de21aa99e07600030424edb41fc3c8161238971bf62af99db8e2d438af06f9d8feeff3edb6a4d4f0a6fb5dfdbe99b1ed454d6ff3dc508c45ed430923212a088e6200b2076da509888edd32fca946a215c8934db7a3b5ac6bed10e4a114f2f132608dbe236cba73cbcffc024fb500e96c3d766ca7f4083ded3666c2b7dcd290f65f7e80ff70fa575777a845fbf7af05b38dfb1ccd7accc0398f8dbf532e28dc6bc0ec49d18f2753caec5912693a0b6050f2bfce72f5160847dcfc78d580609007ddbdf1f338c61c13e7b62fcec6e51d1c0cd1ec0167e40042

Password is: Passw0rd

Debug looks like this then:

Quote:$ tools/test.pl verify 13100 hash2 crack2 x
a8befe6392fd0ac86382046d30820469a00703050040a10000a11b3019a003020117a1120410e9f482a47593ef7dec127339673eaefea20b1b094c41422e4c4f43414ca31a3018a003020101a111300f1b0d41646d696e6973747261746f72a40b3009a003020101a1020400a511180f32303137303932373230353534345aa611180f32303137303932373230353534345aa711180f32303137303932383036353534345aa811180f32303137313030343230353534345aaa8203bd308203b93082034ba003020101a18203420482033e3082033a30820336a00402020080a182032c048203280500000000000000010000002002000058000000000000000a0000002400000078020000000000000c00000058000000a0020000000000000600000014000000f8020000000000000700000014000000100300000000000001100800cccccccc100200000000000000000200fd0c7aeeca37d301ffffffffffffff7fffffffffffffff7f3829eb1b0837d30138e95446d137d30138a944110958d3011a001a00040002000000000008000200000000000c0002000000000010000200000000001400020000000000180002001f000000f401000001020000050000001c00020020020000000000000000000000000000000000001e0020002000020006000800240002002800020000000000000000001000000000000000000000000000000000000000000000000000000000000000010000002c0002003400020001000000380002000d000000000000000d000000410064006d0069006e006900730074007200610074006f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000000102000007000000000200000700000008020000070000000702000007000000060200000700000010000000000000000f000000570049004e002d004300390032004200380041004500310034004b00460000000400000000000000030000004c0041004200000004000000010400000000000515000000b81a926de1f855fbe289199f0100000030000200070000000100000001010000000000120100000004000000010400000000000515000000b81a926de1f855fbe289199f010000003c0200000700002000000000008855fcd237d3011a00410064006d0069006e006900730074007200610074006f007200000000002e001000120040000100000000000000410064006d0069006e006900730074007200610074006f00720040006c00610062002e006c006f00630061006c0000004c00410042002e004c004f00430041004c0000000000000076ffffffdbab0aa23e593d79dae0216c14525b800000000076fffffff828766a315d4bf451708ff550d65562000000003068a003020101a161045f305d303fa0040202008da137043530333031a003020100a12a04280000000000300000acddeb78b50d5eb92c87d5dd5a7505cfc976e7a8f4dbae56f80d4e28aa3c029b301aa0040202008ea1120410101d71fd53020000de7ad40300000000

Difference should be clear to see. That's all we do in hashcat. Everything else you need to discuss with Kerberoasting developers.

Login
Username/Email:
Password:	Lost Password?
	Remember me

hashcat advanced password recovery

hashcat
advanced password recovery