nidem / kerberoast Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Hi,
what does that wordlist file contain? does it contain the hashes of the commonly used passwords? can you please provide us the wordlist file? or do we need to create our own?
./tgsrepcrack.py wordlist.txt
Thanks. Much appreciated.
kirbi2john seems to break JtR ability to read the output correctly.
".kirbi" files dumped from mimikatz
$krb5tgs$2-40a10000-xor-app59$@MSSQLSvc~xor-app23.xor.com~1433-XOR.COM.kirbi:c2a26d7ec38e49393fc2a91fc2b322c3a1c2bfc3bec39414$c38ac28cc3bc10c3897bc29046c3a772560ac396c29831c280c3a63b4bc29a09c29866c3974fc29ec28dc385c29d34c2b936c2b77f2b0228c39f065cc39bc29503c293c3bdc285c3bfc2bf05c3abc39c30c2ab08c3934bc38ac2b47b31266cc..
shortened for brevity. it's really the first part that seems like it's wrong, you can see the .kirbi at the end there
"$krb5tgs$2-40a10000-xor-app59$@MSSQLSvc~xor-app23.xor.com~1433-XOR.COM.kirbi:c2"
Running John
On the flipside Invoke-Kerberoast as it stands with Empire outputs a correct hash formatted for John or Hashcat
Hey I just wanted to ask, if you're still working on the John module for cracking the passwords. Or if you have any tips on how one could implement it.
It would be nice if tgsrepcrack would be a bit more verbose, let you know what kerberos tickets it's loaded, maybe even showing what the service is that it picks out of the ticket, that way it may show if any tickets are garbage
I am getting the following error when running this command on this ticket:
2-40a10000-Install@http~kerbtest.a.vm.net-A.VM.NET.kirbi.txt
python C:\kerberoast-master\kerberoast-master\kerberoast.py -p Password1 -r $fileName -w http.kirbi -u 500
PS C:\> python C:\kerberoast-master\kerberoast-master\kerberoast.py -p Password1 -r $fileName -w http.kirbi -u 500
NO MATCH!! UPN DNS Info
NOT SAME
2000100010003000010000000000000049006e007300740061006c006c00400061002e0076006d002e006e006500740041002e0056004d002e004e0045005400
2000100010003400010000000000000049006e007300740061006c006c00400061002e0076006d002e006e00650074000000000041002e0056004d002e004e00
----
python : Traceback (most recent call last):
At line:1 char:1
+ python C:\kerberoast-master\kerberoast-master\kerberoast.py -p Passwo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Traceback (most recent call last)::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
File "C:\kerberoast-master\kerberoast-master\kerberoast.py", line 243, in <module>
newticket = updatepac(key, fullraw, pac)
File "C:\kerberoast-master\kerberoast-master\kerberoast.py", line 161, in updatepac
newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 663, in __call__
substrate = concreteEncoder.encode(value, asn1Spec, self, **options)
File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 85, in encode
value, asn1Spec, encodeFun, **options
File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 450, in encodeValue
chunk = encodeFun(component, asn1Spec, **options)
File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 663, in __call__
substrate = concreteEncoder.encode(value, asn1Spec, self, **options)
File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 85, in encode
value, asn1Spec, encodeFun, **options
File "C:\Python27\lib\site-packages\pyasn1\codec\ber\encoder.py", line 185, in encodeValue
substrate = value.asOctets()
File "C:\Python27\lib\site-packages\pyasn1\type\char.py", line 84, in asOctets
return str(self)
File "C:\Python27\lib\site-packages\pyasn1\type\char.py", line 55, in __str__
return self._value.encode(self.encoding)
AttributeError: 'GeneralizedTime' object has no attribute 'encode'
root@kali:~/kerberoast# python kerberoast.py -v -r /root/xxx.kirbi -w /root/xxx2.kirbi -p xxx
NO MATCH!! Login Info
NOT SAME
0110[...snip...]0005
0110[...snip...]0000
----
Traceback (most recent call last):
File "kerberoast.py", line 242, in <module>
pac = pacobj.encode()
File "/root/kerberoast/PAC.py", line 529, in encode
pse = ps.encode()
AttributeError: 'NoneType' object has no attribute 'encode'
Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2016.1"
VERSION_ID="2016.1"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.kali.org/"
SUPPORT_URL="http://forums.kali.org/"
BUG_REPORT_URL="http://bugs.kali.org/"
Python 2.7.12
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
self._target(*self._args, **self._kwargs)
File "tgsrepcrack.py", line 16, in loadwordlist
wordlistqueue.put(w.decode('utf-8').strip(), True)
File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0x93 in position 1: invalid start byte
Does this mean that the ticket is bad?
Hello,
I am getting this error:
root@kali:~/Desktop/CTF# ./tgsrepcrack.py wordlist.txt tgs.kirbi
Traceback (most recent call last):
File "./tgsrepcrack.py", line 71, in <module>
for f in glob.glob(path):
File "/usr/lib/python3.8/glob.py", line 21, in glob
return list(iglob(pathname, recursive=recursive))
File "/usr/lib/python3.8/glob.py", line 42, in _iglob
dirname, basename = os.path.split(pathname)
File "/usr/lib/python3.8/posixpath.py", line 103, in split
p = os.fspath(p)
TypeError: expected str, bytes or os.PathLike object, not _io.TextIOWrapper
^CError in atexit._run_exitfuncs:
Traceback (most recent call last):
File "/usr/lib/python3.8/multiprocessing/popen_fork.py", line 27, in poll
pid, sts = os.waitpid(self.pid, flag)
KeyboardInterrupt
If I leave it running for a little longer before interrupting with Ctrl+C the error looks like this:
root@kali:~/Desktop/CTF# ./tgsrepcrack.py wordlist.txt tgs.kirbi
Traceback (most recent call last):
File "./tgsrepcrack.py", line 71, in <module>
for f in glob.glob(path):
File "/usr/lib/python3.8/glob.py", line 21, in glob
return list(iglob(pathname, recursive=recursive))
File "/usr/lib/python3.8/glob.py", line 42, in _iglob
dirname, basename = os.path.split(pathname)
File "/usr/lib/python3.8/posixpath.py", line 103, in split
p = os.fspath(p)
TypeError: expected str, bytes or os.PathLike object, not _io.TextIOWrapper
^CError in atexit._run_exitfuncs:
Traceback (most recent call last):
File "/usr/lib/python3.8/multiprocessing/popen_fork.py", line 27, in poll
pid, sts = os.waitpid(self.pid, flag)
KeyboardInterrupt
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
self.run()
File "/usr/lib/python3.8/multiprocessing/process.py", line 108, in run
self._target(*self._args, **self._kwargs)
File "./tgsrepcrack.py", line 16, in loadwordlist
wordlistqueue.put(w.decode('utf-8').strip(), True)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 5: invalid continuation byte
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.8/multiprocessing/process.py", line 318, in _bootstrap
util._exit_function()
File "/usr/lib/python3.8/multiprocessing/util.py", line 337, in _exit_function
_run_finalizers()
File "/usr/lib/python3.8/multiprocessing/util.py", line 277, in _run_finalizers
finalizer()
File "/usr/lib/python3.8/multiprocessing/util.py", line 201, in __call__
res = self._callback(*self._args, **self._kwargs)
File "/usr/lib/python3.8/multiprocessing/queues.py", line 195, in _finalize_join
thread.join()
File "/usr/lib/python3.8/threading.py", line 1011, in join
self._wait_for_tstate_lock()
File "/usr/lib/python3.8/threading.py", line 1027, in _wait_for_tstate_lock
elif lock.acquire(block, timeout):
KeyboardInterrupt
It'd be nice if there was a way in the powershell script to filter and pull only the the tickets that had non-computer objects assigned to them. I have been trying for a bit to get this to work but my powershell sucks.
Hello,
I get this error with tgsrepcrack
root@kali:~/Desktop/CTF# ./tgsrepcrack.py /usr/share/wordlists/rockyou.txt tgs.kirbi
Traceback (most recent call last):
File "./tgsrepcrack.py", line 46, in <module>
metavar='dictionary.txt', type=file, # windows closes it in thread
NameError: name 'file' is not defined
I'm using the latest version. (Downloaded today April 24th)
I'm getting the following error when trying to crack the kirbi file:
root@kali:~/kerberoast$ python tgsrepcrack.py 1-xxx.COM.kirbi /pentest/dictionaries/bigpicch.txt
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
self._target(*self._args, **self._kwargs)
File "tgsrepcrack.py", line 16, in loadwordlist
wordlistqueue.put(w.decode('utf-8').strip(), True)
File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
All tickets cracked!
Exception calling "FindAll" with "0" argument(s): "Unknown error (0x80005000)"
At C:\SD\scripts\sc\user\GetUserSPNS.ps1:98 char:5
$results = $searcher.FindAll()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Python 2.x will no longer be supported by their upstream developers in 2020. Thus Debian developers are actively removing Python 2 support in Debian Testing with the goal of getting rid of Python 2 in Debian 11 (bullseye).
Since Kali Linux is based on Debian Testing, we have to follow along. And since kerberoast is part of Kali, we would like to have a version of kerberoast that works with Python 3.
All your dependencies are already available for Python 3 so there should be no real blockers.
Do you have plans to port kerberoast to Python 3 ?
Tracking bug in Kali: https://gitlab.com/kalilinux/packages/kerberoast/issues/1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.