Old kerberos info affecting multiple tools: please help

I finished the forest box. Anyone familiar knows the svc-al****** user. I’m now working on another box and Crackmap, smbmap, Spray (pw spray script), hashcat, john…all are referencing the user from forest and the domain. Wtf is going on?

I checked my krb5.conf, klist shows no tickets stored, I removed all .ccache files from impackets dir and elsewhere on my system, kadmin flushed tickets… what could be storing and reusing this info. On so many tools?

I deleted/reinstalled kerberos packages and impacket. Problem still persists. Specifically while working on sauna box, I got a user kerberos hash. When I tried to crack with hashcat and john, both failed while referencing the svc user from forest and the domain.

I had to copy the hash to another VM and crack it there. Any ideas?

i was wondering the same, but no idea why they share the same workgroup. I used pw spray for the other box

Type your comment> @peek said:

i was wondering the same, but no idea why they share the same workgroup. I used pw spray for the other box

This was particularly strange, because spray is just a bash script with vars and loops. It did make a reference to rpcclient for smb spray…maybe all the other tools do too? But that doesn’t explain hashcat and john. Unless they have their own cached files from when I worked on forest? I did use both at the time… I dont know.

I found it! this is so ridiculous…my rockyou.txt file was overwritten with something like: “svc-******* SABatchJobs%SABatchjobs …” i feel like a dummy. but happy i found the cuase.

Type your comment> @BINtendo said:

I found it! this is so ridiculous…my rockyou.txt file was overwritten with something like: “svc-******* …” i feel like a dummy. but happy i found the cuase.

cool, thanks for the feedback