How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file - Printable Version

How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: General Help (https://hashcat.net/forum/forum-8.html)
+--- Thread: How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file (/thread-2156.html)

Pages: 1 2

RE: How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file - SopalajoArrierez - 03-29-2013

(03-21-2013, 01:53 PM)halfie Wrote: I think your VNC session was using encryption (at least at some point). I can successfully extract the "hash" from your .pcap file and also crack it using JtR-jumbo.

Please use latest versions of JtR-jumbo and Ettercap (from GitHub) for best results

I am trying to install Ettercap latest build (seems to be 2013 updated) from their site:

https://github.com/Ettercap/ettercap

I have errors during compiling, even after a while updating libraries and so on. I will keep trying, but meanwhile, could you please tell me what was your version of Ettercap?
This is the mine, the latest one from Ubuntu repositories (I have tested BackTrack v5R3, The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux v1.0 and Ubuntu 12.04 LTS):

Code:
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA

RE: How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file - SopalajoArrierez - 03-29-2013

Wefffff.... I finally did it: installed EtterCap latest version. It has been a bit hard: Ettercap seems to be very updated, so several libraries and programs (CURL, for example) need to be in the latest version.

I have checked what you say, halfie. You were right. Now I can capture VNC hashes. Thanks a lot:

Code:
luis@VirtUbuntu:~/Temporal/Ettercap$ more PruebaVNC.txt

192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf

So, now that I have this hash, how should I attack it? I made this tests (assuming VNC is a DES -m 1500 hash type):

Code:
PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 .\PruebaVNC.txt

WARNING: Hashfile '.\PruebaVNC.txt' in line 1 (192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf): Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 "f:\Crackeoen Proceso\Pruebas\VNC\PruebaVNC-Modificado.txt" --username

WARNING: Hashfile 'f:\Crackeo en Proceso\Pruebas\VNC\PruebaVNC-Modificado.txt' in line 1 (*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf): Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf'

WARNING: Hash '*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834c

f': Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '*a5d62a6cd58f41abe8785a4485811aac'

WARNING: Hash '*a5d62a6cd58f41abe8785a4485811aac': Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '*248d3290ce533f028613f092f25834cf'

WARNING: Hash '*248d3290ce533f028613f092f25834cf': Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '248d3290ce533f028613f092f25834cf'

WARNING: Hash '248d3290ce533f028613f092f25834cf': Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 'a5d62a6cd58f41abe8785a4485811aac'

WARNING: Hash 'a5d62a6cd58f41abe8785a4485811aac': Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 'a5d62a6cd58

f41abe8785a4485811aac:248d3290ce533f028613f092f25834cf'

WARNING: Hash 'a5d62a6cd58f41abe8785a4485811aac:248d3290ce533f028613f092f25834cf': Line-length exception

ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 'a5d62a6cd58f41abe8785a4485811aac248d3290ce533f028613f092f25834cf'

WARNING: Hash 'a5d62a6cd58f41abe8785a4485811aac248d3290ce533f028613f092f25834cf'

: Line-length exception

ERROR: No hashes loaded

I was suspecting this would not work, because, as far as I know, the data extracted by Ettercap should be a challenge-response pair, and maybe this is not the same as the hash.
So, even when we can crack (or try to) this hash using John the Ripper (only with Jumbo version, thanks again) I think the initial question is still on the air:
How can I extract the (in this case) VNC hash from a .pcap (WireShark) capture file for use in OCLHashCat-Plus?

RE: How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file - atom - 03-30-2013

VNC hashes are DEScrypt? I doubt that. DEScrypt does not have a "challenge-response" mechanism.

RE: How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file - epixoip - 03-30-2013

it's not descrypt, no. the challenge is bit-flipped and encrypted with a single round of des.

https://raw.github.com/magnumripper/JohnTheRipper/unstable-jumbo/src/vnc_fmt_plug.c

http://www.vidarholen.net/contents/junk/VNCEncrypt.java