kirbi2john

Question

kirbi2john

Closed this issue 4 years ago · 0 comments

cyberspaceoperator commented 4 years ago

kirbi2john seems to break JtR ability to read the output correctly.

".kirbi" files dumped from mimikatz

$krb5tgs$2-40a10000-xor-app59$@MSSQLSvc~xor-app23.xor.com~1433-XOR.COM.kirbi:c2a26d7ec38e49393fc2a91fc2b322c3a1c2bfc3bec39414$c38ac28cc3bc10c3897bc29046c3a772560ac396c29831c280c3a63b4bc29a09c29866c3974fc29ec28dc385c29d34c2b936c2b77f2b0228c39f065cc39bc29503c293c3bdc285c3bfc2bf05c3abc39c30c2ab08c3934bc38ac2b47b31266cc..

shortened for brevity. it's really the first part that seems like it's wrong, you can see the .kirbi at the end there

"$krb5tgs$2-40a10000-xor-app59$@MSSQLSvc~xor-app23.xor.com~1433-XOR.COM.kirbi:c2"

Running John

I know that this is sort of the old school way of doing things (downloading the tickets with mimikatz) but I'd like to be able to do both

On the flipside Invoke-Kerberoast as it stands with Empire outputs a correct hash formatted for John or Hashcat