Kerberoasting not working

[TealAlex]

Hi,
today I tried the Kerberoasting attack for the first time in my lab. I created a new account and set a spn as follows:

setspn -a fs01/SVC_SQLService.tealtest.de:1433 tealtest\sql_svc

Then I saved the hash with rubeus:

Rubeus.exe kerberoast /outfile:.\hash.txt

I tried to crack the hash with the current hashcat version:

hashcat64.exe -m 13100 -O C:\hash.txt C:\realpw.txt --force

The wordlist contains only the correct password but nevertheless hashcat does not succeed.

The password of the account is Test123. which can also be confirmed with rubeus:

v1.5.0
[+] STUPENDOUS => svc_sql:Test123.
[*]Saved TGT into svc_sql.kirbi


I googled and tried now for hours. Any advice?

Thanks Alex

[undeath]

Why are you using force? What is hashcat's status when it finishes?

[TealAlex]

Hi,
I wasn't aware of that rule, I thought it might help to reproduce the issue. I removed it.
I use force because of this message:

* Device #1: Intel's OpenCL runtime (GPU only) is currently broken.
We are waiting for updated OpenCL drivers from Intel.
You can use --force to override, but do not report related errors.

As there was no error message I assumed it works correctly with --force.
I'm running hashcat on my laptop.

From the output I gather that the hash format is correctly recognized but...
The complete output is:

hashcat (v5.1.0) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) UHD Graphics 620, 3235/6470 MB allocatable, 24MCU
* Device #2: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 31

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Dictionary cache hit:
* Filename..: C:\realpw.txt
* Passwords.: 3
* Bytes.....: 31
* Keyspace..: 3

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: Kerberos 5 TGS-REP etype 23
Hash.Target......: $krb5tgs$23$*svc_sql$tealtest.de$fs01/SVC_SQLServic...f129e8
Time.Started.....: Thu Feb 20 23:15:18 2020 (0 secs)
Time.Estimated...: Thu Feb 20 23:15:18 2020 (0 secs)
Guess.Base.......: File (C:\realpw.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 122 H/s (0.84ms) @ Accel:16 Loops:1 Thr:64 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 3/3 (100.00%)
Rejected.........: 0/3 (0.00%)
Restore.Point....: 3/3 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: SecPass2020! -> Test123.

Started: Thu Feb 20 23:15:16 2020
Stopped: Thu Feb 20 23:15:19 2020

Alex

[undeath]

* Device #1: Intel's OpenCL runtime (GPU only) is currently broken.
We are waiting for updated OpenCL drivers from Intel.
You can use --force to override, but do not report related errors.

[TealAlex]

I'm sorry, I'm new to hashcat. As there was no error message, I was assuming what I'm doing is working correctly....

[philsmd]

the question now is, does it work without --force ? does it crack with the correct password ?

[TealAlex]

It does on another machine but only if there are at least two entries in the password list...

[philsmd]

do you use the latest beta version from https://hashcat.net/beta/ ?

[undeath]

I'm sorry, I'm new to hashcat. As there was no error message, I was assuming what I'm doing is working correctly....

Well, there was an error message but you chose to force hashcat to ignore it I know the error message is not ideal. It's been made clearer in the beta version (and next stable version).

For the record, I am able to successfully crack the hash.