Skip to content

Add username lookup fallback to creds#199

Open
sjanusz-r7 wants to merge 1 commit intorapid7:masterfrom
sjanusz-r7:username-credential-lookup
Open

Add username lookup fallback to creds#199
sjanusz-r7 wants to merge 1 commit intorapid7:masterfrom
sjanusz-r7:username-credential-lookup

Conversation

@sjanusz-r7
Copy link
Copy Markdown
Contributor

@sjanusz-r7 sjanusz-r7 commented Apr 17, 2026

Attempts to fix the Framework issue: rapid7/metasploit-framework#21098

Testing

  • Checkout the PR: Add Kerberos type hashes to cracking metasploit-framework#20881
  • Add this to framework's gemfile: gem 'metasploit-credential', git: 'https://github.com/sjanusz-r7/metasploit-credential', branch: 'username-credential-lookup'
  • bundle
  • bundle exec ./msfconsole -q
  • Run through the steps from the issue report:
creds -d
creds add user:krb5tgs hash:\$krb5tgs\$23\$*user\$realm$test/spn*\$63386d22d359fe42230300d56852c9eb\$891ad31d09ab89c6b3b8c5e5de6c06a7f49fd559d7a9a3c32576c8fedf705376cea582ab5938f7fc8bc741acf05c5990741b36ef4311fe3562a41b70a4ec6ecba849905f2385bb3799d92499909658c7287c49160276bca0006c350b0db4fd387adc27c01e9e9ad0c20ed53a7e6356dee2452e35eca2a6a1d1432796fc5c19d068978df74d3d0baf35c77de12456bf1144b6a750d11f55805f5a16ece2975246e2d026dce997fba34ac8757312e9e4e6272de35e20d52fb668c5ed jtr:krb5tgs
creds add user:krb5asrep hash:\$krb5asrep\$23\$user@domain.com:3e156ada591263b8aab0965f5aebd837\$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac jtr:krb5asrep
use auxiliary/analyze/crack_windows
rm ~/.msf4/john.pot
set action john
set verbose true
rexploit
creds
  • Confirm that both of the credentials have a cracked password:
id  host  origin  service  public     private                                                                                   realm  private_type        JtR Format  cracked_password
--  ----  ------  -------  ------     -------                                                                                   -----  ------------        ----------  ----------------
72                         krb5tgs    $krb5tgs$23$*user$realm$test/spn*$63386d22d359fe42230300d56852c9eb$891ad31d0 (TRUNCATED)         Nonreplayable hash  krb5tgs     hashcat
73                         krb5asrep  $krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c (TRUNCATED)         Nonreplayable hash  krb5asrep   hashcat

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sjanusz-r7