Old kerberos info affecting multiple tools: please help

edited February 19 in Off-topic
I finished the forest box. Anyone familiar knows the svc-al****** user. I'm now working on another box and Crackmap, smbmap, Spray (pw spray script), hashcat, john.....all are referencing the user from forest and the domain. Wtf is going on?

I checked my krb5.conf, klist shows no tickets stored, I removed all .ccache files from impackets dir and elsewhere on my system, kadmin flushed tickets.... what could be storing and reusing this info. On so many tools?

I deleted/reinstalled kerberos packages and impacket. Problem still persists. Specifically while working on sauna box, I got a user kerberos hash. When I tried to crack with hashcat and john, both failed while referencing the svc user from forest and the domain.

I had to copy the hash to another VM and crack it there. Any ideas?

Arrexel

Comments

  • i was wondering the same, but no idea why they share the same workgroup. I used pw spray for the other box

    peek

  • Type your comment> @peek said:
    > i was wondering the same, but no idea why they share the same workgroup. I used pw spray for the other box

    This was particularly strange, because spray is just a bash script with vars and loops. It did make a reference to rpcclient for smb spray...maybe all the other tools do too? But that doesn't explain hashcat and john. Unless they have their own cached files from when I worked on forest? I did use both at the time..... I dont know.

    Arrexel

  • I found it! this is so ridiculous....my rockyou.txt file was overwritten with something like: "svc-******* SABatchJobs%SABatchjobs ......." i feel like a dummy. but happy i found the cuase.

    Arrexel

  • Type your comment> @BINtendo said:

    I found it! this is so ridiculous....my rockyou.txt file was overwritten with something like: "svc-******* ......." i feel like a dummy. but happy i found the cuase.

    cool, thanks for the feedback

    peek

Sign In to comment.