Support for Kerberos Pre-Auth etype 17/18 (SHA-1) #959

Open
brandoncasaba opened this Issue Jan 9, 2017 · 5 comments

Comments

Projects
None yet
6 participants
@brandoncasaba

brandoncasaba commented Jan 9, 2017

With more and more enterprises using Win7+ kerb tickets are being required to use the aes256-cts-hmac-sha1-96 tickets, less and less passive analysis returns the old RC4 based tickets that Hashcat supports.

Would like to see Hashcat support the more modern Windows network hashes present on more and more enterprise networks.

Samples with implementation here:
http://www.openwall.com/lists/john-users/2012/11/18/5
ETA, or more currently here, thanks Magnum, you guys rock!:
https://github.com/magnumripper/JohnTheRipper/blob/8bcaddef35f703c47367fad612e473061459b156/src/opencl_krb5pa-sha1_fmt_plug.c

{"$krb5ng$user1$EXAMPLE.COM$2a0e68168d1eac344da458599c3a2b33ff326a061449fcbc242b212504e484d45903c6a16e2d593912f56c93$883bf697b325193d62a8be9c", "openwall"},
{"$krb5ng$user1$EXAMPLE.COM$a3918bd0381107feedec8db0022bdf3ac56e534ed54d13c62a7013a47713cfc31ef4e7e572f912fa4164f76b$335e588bf29c2d17b11c5caa", "openwall"},
{"$krb5ng$l33t$EXAMPLE.COM$98f732b309a1d7ef2355a974842a32894d911e97150f5d57f248e1c2632fbd3735c5f156532ccae0341e6a2d$779ca83a06021fe57dafa464", "openwall"},
    {"$krb5ng$aduser$AD.EXAMPLE.COM$64dfeee04be2b2e0423814e0df4d0f960885aca4efffe6cb5694c4d34690406071c4968abd2c153ee42d258c$5e09a41269bbcd7799f478d3", "password@..."},
    {"$krb5ng$aduser$AD.EXAMPLE.COM$f94f755a8b4493d925094a4eb1cec630ac40411a14c9733a853516fe426637d9daefdedc0567e2bb5a83d4f8$9a0ad1a4b178662b6106c0ff", "password@...45678"},

@brandoncasaba brandoncasaba changed the title from Support for Kerberos etype 17/18 (SHA-1) to Support for Kerberos Pre-Auth etype 17/18 (SHA-1) Jan 9, 2017

@magnumripper

This comment has been minimized.

Show comment
Hide comment
@magnumripper

magnumripper Jan 9, 2017

Contributor

That sample code is ancient and we no longer use that tag. This now corresponds to krb5pa-sha1 in current JtR. It's straightforward to implement and finally uses UTF-8 like anyone else IIRC.

{"$krb5pa$18$user1$EXAMPLE.COM$$2a0e68168d1eac344da458599c3a2b33ff326a061449fcbc242b212504e484d45903c6a16e2d593912f56c93883bf697b325193d62a8be9c", "openwall"},
{"$krb5pa$18$user1$EXAMPLE.COM$$a3918bd0381107feedec8db0022bdf3ac56e534ed54d13c62a7013a47713cfc31ef4e7e572f912fa4164f76b335e588bf29c2d17b11c5caa", "openwall"},
{"$krb5pa$18$l33t$EXAMPLE.COM$$98f732b309a1d7ef2355a974842a32894d911e97150f5d57f248e1c2632fbd3735c5f156532ccae0341e6a2d779ca83a06021fe57dafa464", "openwall"},
{"$krb5pa$18$aduser$AD.EXAMPLE.COM$$64dfeee04be2b2e0423814e0df4d0f960885aca4efffe6cb5694c4d34690406071c4968abd2c153ee42d258c5e09a41269bbcd7799f478d3", "password@123"},
{"$krb5pa$18$aduser$AD.EXAMPLE.COM$$f94f755a8b4493d925094a4eb1cec630ac40411a14c9733a853516fe426637d9daefdedc0567e2bb5a83d4f89a0ad1a4b178662b6106c0ff", "password@12345678"},
{"$krb5pa$18$aduser$AD.EXAMPLE.COM$AD.EXAMPLE.COMaduser$f94f755a8b4493d925094a4eb1cec630ac40411a14c9733a853516fe426637d9daefdedc0567e2bb5a83d4f89a0ad1a4b178662b6106c0ff", "password@12345678"},	
/* etype 17 hash obtained using MiTM etype downgrade attack */
{"$krb5pa$17$user1$EXAMPLE.COM$$c5461873dc13665771b98ba80be53939e906d90ae1ba79cf2e21f0395e50ee56379fbef4d0298cfccfd6cf8f907329120048fd05e8ae5df4", "openwall"},
Contributor

magnumripper commented Jan 9, 2017

That sample code is ancient and we no longer use that tag. This now corresponds to krb5pa-sha1 in current JtR. It's straightforward to implement and finally uses UTF-8 like anyone else IIRC.

{"$krb5pa$18$user1$EXAMPLE.COM$$2a0e68168d1eac344da458599c3a2b33ff326a061449fcbc242b212504e484d45903c6a16e2d593912f56c93883bf697b325193d62a8be9c", "openwall"},
{"$krb5pa$18$user1$EXAMPLE.COM$$a3918bd0381107feedec8db0022bdf3ac56e534ed54d13c62a7013a47713cfc31ef4e7e572f912fa4164f76b335e588bf29c2d17b11c5caa", "openwall"},
{"$krb5pa$18$l33t$EXAMPLE.COM$$98f732b309a1d7ef2355a974842a32894d911e97150f5d57f248e1c2632fbd3735c5f156532ccae0341e6a2d779ca83a06021fe57dafa464", "openwall"},
{"$krb5pa$18$aduser$AD.EXAMPLE.COM$$64dfeee04be2b2e0423814e0df4d0f960885aca4efffe6cb5694c4d34690406071c4968abd2c153ee42d258c5e09a41269bbcd7799f478d3", "password@123"},
{"$krb5pa$18$aduser$AD.EXAMPLE.COM$$f94f755a8b4493d925094a4eb1cec630ac40411a14c9733a853516fe426637d9daefdedc0567e2bb5a83d4f89a0ad1a4b178662b6106c0ff", "password@12345678"},
{"$krb5pa$18$aduser$AD.EXAMPLE.COM$AD.EXAMPLE.COMaduser$f94f755a8b4493d925094a4eb1cec630ac40411a14c9733a853516fe426637d9daefdedc0567e2bb5a83d4f89a0ad1a4b178662b6106c0ff", "password@12345678"},	
/* etype 17 hash obtained using MiTM etype downgrade attack */
{"$krb5pa$17$user1$EXAMPLE.COM$$c5461873dc13665771b98ba80be53939e906d90ae1ba79cf2e21f0395e50ee56379fbef4d0298cfccfd6cf8f907329120048fd05e8ae5df4", "openwall"},
@thesle3p

This comment has been minimized.

Show comment
Hide comment
@thesle3p

thesle3p Mar 22, 2017

would be great to see this.

would be great to see this.

@elitest

This comment has been minimized.

Show comment
Hide comment
@elitest

elitest May 9, 2017

Anyone looking to work on this, I would recommend taking a look at the MS-KILE documentation, which even has some key generation examples as well as a ton of other info regarding MS' implementation of Kerberos.

elitest commented May 9, 2017

Anyone looking to work on this, I would recommend taking a look at the MS-KILE documentation, which even has some key generation examples as well as a ton of other info regarding MS' implementation of Kerberos.

@Fist0urs

This comment has been minimized.

Show comment
Hide comment
@Fist0urs

Fist0urs May 11, 2017

Contributor

I could do that when I find time... (also the KRB 5 TGS one)

Contributor

Fist0urs commented May 11, 2017

I could do that when I find time... (also the KRB 5 TGS one)

@brandoncasaba

This comment has been minimized.

Show comment
Hide comment

brandoncasaba commented Mar 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment