DeforaNetworks/hashcat
3
0
Fork 0
Code Releases Activity

Added hash-modes 18200 (Kerberos 5 AS-REP etype 23)

Browse Source
This commit is contained in:
Arseniy Sharoglazov
2018-10-30 19:05:44 +03:00
parent b8eb7105dd
commit ee873da300
15 changed files with 4279 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
src/interface.c
View File

@@ -290,6 +290,7 @@ static const char *ST_HASH_17800 = "203f88777f18bb4ee1226627b547808f38d90d3e1062
static const char *ST_HASH_17900 = "5804b7ada5806ba79540100e9a7ef493654ff2a21d94d4f2ce4bf69abda5d94bf03701fe9525a15dfdc625bfbd769701";
static const char *ST_HASH_18000 = "2fbf5c9080f0a704de2e915ba8fdae6ab00bbc026b2c1c8fa07da1239381c6b7f4dfd399bf9652500da723694a4c719587dd0219cb30eabe61210a8ae4dc0b03";
static const char *ST_HASH_18100 = "597056:3600";
static const char *ST_HASH_18200 = "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac";
static const char *ST_HASH_99999 = "hashcat";
static const char *OPTI_STR_OPTIMIZED_KERNEL = "Optimized-Kernel";
@@ -546,6 +547,7 @@ static const char *HT_17800 = "Keccak-256";
static const char *HT_17900 = "Keccak-384";
static const char *HT_18000 = "Keccak-512";
static const char *HT_18100 = "TOTP (HMAC-SHA1)";
static const char *HT_18200 = "Kerberos 5 AS-REP etype 23";
static const char *HT_99999 = "Plaintext";
static const char *HT_00011 = "Joomla < 2.5.18";
@@ -631,6 +633,7 @@ static const char *SIGNATURE_EPISERVER = "$episerver$";
static const char *SIGNATURE_KEEPASS = "$keepass$";
static const char *SIGNATURE_KRB5PA = "$krb5pa$23$";
static const char *SIGNATURE_KRB5TGS = "$krb5tgs$23$";
static const char *SIGNATURE_KRB5ASREP = "$krb5asrep$23$";
static const char *SIGNATURE_MD5AIX = "{smd5}";
static const char *SIGNATURE_MD5APR1 = "$apr1$";
static const char *SIGNATURE_MD5CRYPT = "$1$";
@@ -14216,6 +14219,107 @@ int krb5tgs_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UN
return (PARSER_OK);
}
int krb5asrep_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig)
{
u32 *digest = (u32 *) hash_buf->digest;
salt_t *salt = hash_buf->salt;
krb5asrep_t *krb5asrep = (krb5asrep_t *) hash_buf->esalt;
token_t token;
token.signatures_cnt = 1;
token.signatures_buf[0] = SIGNATURE_KRB5ASREP;
token.len[0] = strlen(SIGNATURE_KRB5ASREP);
token.attr[0] = TOKEN_ATTR_FIXED_LENGTH
| TOKEN_ATTR_VERIFY_SIGNATURE;
/**
* $krb5asrep$23$user_principal_name:checksum$edata2
*/
if (input_len < 16) return (PARSER_SALT_LENGTH);
char *upn_info_start = (char *) input_buf + strlen(SIGNATURE_KRB5ASREP);
char *upn_info_stop = strchr ((const char *) upn_info_start, ':');
if (upn_info_stop == NULL) return (PARSER_SEPARATOR_UNMATCHED);
upn_info_stop++; // we want the : char included
const int upn_info_len = upn_info_stop - upn_info_start;
token.token_cnt = 4;
token.len[1] = upn_info_len;
token.attr[1] = TOKEN_ATTR_FIXED_LENGTH;
token.sep[2] = '$';
token.len_min[2] = 32;
token.len_max[2] = 32;
token.attr[2] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_HEX;
token.sep[3] = '$';
token.len_min[3] = 64;
token.len_max[3] = 40960;
token.attr[3] = TOKEN_ATTR_VERIFY_LENGTH
| TOKEN_ATTR_VERIFY_HEX;
const int rc_tokenizer = input_tokenizer (input_buf, input_len, &token);
if (rc_tokenizer != PARSER_OK) return (rc_tokenizer);
u8 *checksum_pos;
u8 *data_pos;
int data_len;
checksum_pos = token.buf[2];
data_pos = token.buf[3];
data_len = token.len[3];
memcpy (krb5asrep->account_info, token.buf[1], token.len[1]);
krb5asrep->checksum[0] = hex_to_u32 (checksum_pos + 0);
krb5asrep->checksum[1] = hex_to_u32 (checksum_pos + 8);
krb5asrep->checksum[2] = hex_to_u32 (checksum_pos + 16);
krb5asrep->checksum[3] = hex_to_u32 (checksum_pos + 24);
u8 *edata_ptr = (u8 *) krb5asrep->edata2;
for (int i = 0; i < data_len; i += 2)
{
const u8 p0 = data_pos[i + 0];
const u8 p1 = data_pos[i + 1];
*edata_ptr++ = hex_convert (p1) << 0
| hex_convert (p0) << 4;
}
krb5asrep->edata2_len = data_len / 2;
/* this is needed for hmac_md5 */
*edata_ptr++ = 0x80;
salt->salt_buf[0] = krb5asrep->checksum[0];
salt->salt_buf[1] = krb5asrep->checksum[1];
salt->salt_buf[2] = krb5asrep->checksum[2];
salt->salt_buf[3] = krb5asrep->checksum[3];
salt->salt_len = 16;
digest[0] = krb5asrep->checksum[0];
digest[1] = krb5asrep->checksum[1];
digest[2] = krb5asrep->checksum[2];
digest[3] = krb5asrep->checksum[3];
return (PARSER_OK);
}
int axcrypt_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED hashconfig_t *hashconfig)
{
u32 *digest = (u32 *) hash_buf->digest;
@@ -18579,6 +18683,7 @@ const char *strhashtype (const u32 hash_mode)
case 17900: return HT_17900;
case 18000: return HT_18000;
case 18100: return HT_18100;
case 18200: return HT_18200;
case 99999: return HT_99999;
}
@@ -22384,6 +22489,30 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const size_t out_le
snprintf (out_buf, out_len - 1, "%06d:%" PRIu64, digest_buf[0], tmp_salt_buf);
}
else if (hash_mode == 18200)
{
krb5asrep_t *krb5asreps = (krb5asrep_t *) esalts_buf;
krb5asrep_t *krb5asrep = &krb5asreps[digest_cur];
char data[5120 * 4 * 2] = { 0 };
for (u32 i = 0, j = 0; i < krb5asrep->edata2_len; i += 1, j += 2)
{
u8 *ptr_edata2 = (u8 *) krb5asrep->edata2;
sprintf (data + j, "%02x", ptr_edata2[i]);
}
snprintf (out_buf, out_len - 1, "%s%s%08x%08x%08x%08x$%s",
SIGNATURE_KRB5ASREP,
(char *) krb5asrep->account_info,
byte_swap_32 (krb5asrep->checksum[0]),
byte_swap_32 (krb5asrep->checksum[1]),
byte_swap_32 (krb5asrep->checksum[2]),
byte_swap_32 (krb5asrep->checksum[3]),
data);
}
else if (hash_mode == 99999)
{
char *ptr = (char *) digest_buf;
@@ -27692,6 +27821,23 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN;
break;
case 18200: hashconfig->hash_type = HASH_TYPE_KRB5ASREP;
hashconfig->salt_type = SALT_TYPE_EMBEDDED;
hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL;
hashconfig->opts_type = OPTS_TYPE_PT_GENERATE_LE;
hashconfig->kern_type = KERN_TYPE_KRB5ASREP;
hashconfig->dgst_size = DGST_SIZE_4_4;
hashconfig->parse_func = krb5asrep_parse_hash;
hashconfig->opti_type = OPTI_TYPE_ZERO_BYTE
| OPTI_TYPE_NOT_ITERATED;
hashconfig->dgst_pos0 = 0;
hashconfig->dgst_pos1 = 1;
hashconfig->dgst_pos2 = 2;
hashconfig->dgst_pos3 = 3;
hashconfig->st_hash = ST_HASH_18200;
hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN;
break;
case 99999: hashconfig->hash_type = HASH_TYPE_PLAINTEXT;
hashconfig->salt_type = SALT_TYPE_NONE;
hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL;
@@ -27917,6 +28063,7 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
case 16800: hashconfig->esalt_size = sizeof (wpa_pmkid_t); break;
case 16801: hashconfig->esalt_size = sizeof (wpa_pmkid_t); break;
case 16900: hashconfig->esalt_size = sizeof (ansible_vault_t); break;
case 18200: hashconfig->esalt_size = sizeof (krb5asrep_t); break;
}
// hook_salt_size
@@ -28087,6 +28234,7 @@ u32 hashconfig_forced_kernel_threads (hashcat_ctx_t *hashcat_ctx)
if (hashconfig->hash_mode == 10500) kernel_threads = 64; // RC4
if (hashconfig->hash_mode == 13100) kernel_threads = 64; // RC4
if (hashconfig->hash_mode == 15700) kernel_threads = 1; // SCRYPT
if (hashconfig->hash_mode == 18200) kernel_threads = 64; // RC4
return kernel_threads;
}