Add Kerberos Hashes #59
Comments
bee-san
added
good first issue
|
I recently learned about regex in one of my Python projects so I would be glad to help you with this! :) I started with one of the Kerberos hashes that are not in the Name-That-Hash and I came up with this: Prototype(
regex=re.compile(r"^\$krb5pa\$17\$[a-z0-9]+\$[a-z0-9]+\.[a-z0-9]+\$\$?[a-f0-9]+$", re.IGNORECASE),
modes=[
HashInfo(
name="Kerberos 5, etype 17, Pre-Auth",
hashcat=19800,
john="krb5pa-sha1",
extended=False,
)
],
),
Here are two hashes I found and it detects both of them: If everything is okay, I will continue to add others and will create a pull request with all of the changes when I am done :D |
Hey! Thanks SO much for doing that!!! Do you mind writing a description? The same one for each: This is just so everyone knows what it does, descriptions are super useful because someone that doesn't know what Kerberos is might see "Windows AD" and think "Huh! 🤔 This hash is from a Windows machine!" And can you please write a test? You just need to copy & paste this: And change:
+ assert "Kerberos" in x
- assert "scrypt" in xAgain, thank you so much for contributing! ❤️ |
|
Yeah will add a description to each one and write a test. Glad to help and to improve my skills! :) |
|
@amadejpapez That looks great. My only real concern is Using Interestingly hashcat requires the last section of hex to be between 104 and 112 characters, inclusive. (I think it's 104 + an optional checksum.) This is an alternate regex that uses the above info: This doesn't match your second example with |
|
Will change that and do the same for the others. Thank you very much! I saw the second one here: hashcat/hashcat#959 I think it should be same type but I could be wrong |
|
Regarding the I think John supports So.... no idea what to do here. Apparently John and hashcat support |
|
@bburky Would we need 2 different regex's that point to the same hash type? It's an odd situation. |
|
It's easy enough to write a regex that matches both, I'm just wondering if it would be confusing to our users. Yeah, double regexes is an option too, but we call them... what? "Kerberos 5 TGS-REP etype 17 (AES128-CTS-HMAC-SHA1-96) (John format)" . Would be pretty confusing too. It's not too hard to just match both with the same regex, I'm just not sure if it's more or less confusing. |
|
I think having 2 different regexes in the database is the better and less confusing option. The only difference I can see is that one format has a salt and the other one doesn't. So one could be named normal "Kerberos ..." for hashcat and second one could be named "Kerberos ... with salt" for john or something similar as @bburky already suggested. This would not confuse users that much and it would quickly show if john or hashcat is supported if there is a match. |
|
In my opinion, if I'm following this thread correctly, we have 2 choices:
I think increasing the complexity of our code is better here. Fundamentally users come first, so sacrificing our sanity for a better tool is the best option here @amadejpapez TL;DR - I agree with you. |
We're missing a lot of Kerberos hashes from this page:
https://hashcat.net/wiki/doku.php?id=example_hashes
Ctrl+F "Kerberos".
It's important we add them :)
See https://github.com/HashPals/Name-That-Hash/blob/main/name_that_hash/hashes.py for our DB of hashes.
The text was updated successfully, but these errors were encountered: