Posts: 45
Threads: 14
Joined: Jan 2013
03-20-2013, 05:02 PM
(This post was last modified: 03-21-2013, 02:36 PM by atom.)
Hello all.
Until now I have only tested WPA hashes, and they have been extracted from a airodump-ng's capture file using tshark or aircrack-ng (-J option).
I wanna go one step beyond, and in an effort to undestand and learning a bit of the inners of hash file extraction, I wanna strip (if possible) a real hash from a .cap WireShark's capture file.
I have captured those types of authentication:
- VNC (RealVNC).
- SSH2 (OpenSSH).
- SMB (connection to SAMBA server).
so I would like to know the way of obtaining a single hash from any of those .cap files.
Is there any automation for this task? Or can I copy&paste directly any data from some of the captured package/s?
I have tested EtterCap, TShark and Cain&Abel with no results. None of them seems to give a valid hash string.
Any ideas or URL to check for? I can post .cap files or some of their data if needed.
Thanks you a lot.
Posts: 39
Threads: 2
Joined: Mar 2012
Which version of Ettercap are you using?
Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some time back but I might have missed something).
Can you share some .pcap files?
Posts: 45
Threads: 14
Joined: Jan 2013
All right, I think I have succeeded in sniffing a SMB hash. I have done it using EtterCap.
This is the command:
Code:
ettercap -T -w dump.cap /OriginIP/ // output: -l logfile
so it yields through screen (checkable too via the logfile using etterlog):
Code:
ACCOUNT : Luis- / Luis-:"":"":FF6D1D6B511167E500000000000000000000000000000000:261B4DFEDB3BBC143D21C4F15BB8299FBA974901C5DB19CC:DD3291B8FA111B98 (192.168.11.113)
INFO : DOMAIN: THREEPWOOD
(I have modified the numbers here, of course, so they are not entirely real)
Now, which one of those three numbers separated by ":" should theorically be sent to hashcat?
And what hash type must be specified?
I have heard about NTLM hashes are sent with LM hashes too. And some docs say the hash are MD4, anothers MD5... etc. Furthermore, I remember LM hashes were splitted each 7 corresponding characters of the original password. So I am asking this instead of just running hashcat.
Posts: 45
Threads: 14
Joined: Jan 2013
(03-20-2013, 07:01 PM)halfie Wrote: Which version of Ettercap are you using?
This is my version:
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
(03-20-2013, 07:01 PM)halfie Wrote: Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some time back but I might have missed something).
Mmm... I am capturing a connection to VNC4Server at Ubuntu and EtterCap yields many data, but not the password.
(03-20-2013, 07:01 PM)halfie Wrote: Can you share some .pcap files?
Here you have: it is an ettercap capture:
Code:
sudo ettercap -T -w dump.cap /192.168.11.113/ // output: -l logfile.eci -i eth1
Chomsky (computer one with IP 192.168.11.113 running Windows XP, RealVNC Viewer) connects to ThreepWood (computer two running Ubuntu 12.04, VNC4Server) using password "12345678". Real VNCViewer tells there is no encryption in this connection.
This is the output of EtterLog:
Code:
luis@ThreepWood:~/Temporal/Ettercap$ sudo etterlog Chomsky-ThreepWood-VNC-NoEncryption.eci
etterlog NG-0.7.4.2 copyright 2001-2005 ALoR & NaGA
Log file version : NG-0.7.4.2
Timestamp : Wed Mar 20 20:35:20 2013
Type : LOG_INFO
1766 tcp OS fingerprint
7587 mac vendor fingerprint
2183 known services
==================================================
IP address : 192.168.11.110
MAC address : 00:1D:60:13:DF:CB
MANUFACTURER :
DISTANCE : 0
TYPE : LAN host
FINGERPRINT : 3908:05B4:40:06:1:1:1:0:A:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS : Windows 98 SE
PORT : TCP 5901 | vnc-1 [RFB 003.008]
==================================================
==================================================
IP address : 192.168.11.113
MAC address : 00:23:54:7F:F2:4F
MANUFACTURER :
DISTANCE : 1
TYPE : LAN host
FINGERPRINT : FFFF:05B4:80:02:1:1:1:0:S:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS : Windows 2000
==================================================
As you can see, there is no password guessed at all.
Posts: 45
Threads: 14
Joined: Jan 2013
(03-20-2013, 07:01 PM)halfie Wrote: Which version of Ettercap are you using?
This is my version:
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
(03-20-2013, 07:01 PM)halfie Wrote: Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some time back but I might have missed something).
Mmm... I am capturing a connection to VNC4Server at Ubuntu and EtterCap yields many data, but not the password.
(03-20-2013, 07:01 PM)halfie Wrote: Can you share some .pcap files?
Here you have:
https://docs.google.com/file/d/0Bzu9KpPO...sp=sharing
it is an ettercap capture:
Code:
sudo ettercap -T -w dump.cap /192.168.11.113/ // output: -l logfile.eci -i eth1
Chomsky (computer one with IP 192.168.11.113 running Windows XP, RealVNC Viewer) connects to ThreepWood (computer two running Ubuntu 12.04, VNC4Server) using password "12345678". Real VNCViewer tells there is no encryption in this connection.
This is the output of EtterLog:
Code:
luis@ThreepWood:~/Temporal/Ettercap$ sudo etterlog Chomsky-ThreepWood-VNC-NoEncryption.eci
etterlog NG-0.7.4.2 copyright 2001-2005 ALoR & NaGA
Log file version : NG-0.7.4.2
Timestamp : Wed Mar 20 20:35:20 2013
Type : LOG_INFO
1766 tcp OS fingerprint
7587 mac vendor fingerprint
2183 known services
==================================================
IP address : 192.168.11.110
MAC address : 00:1D:60:13:DF:CB
MANUFACTURER :
DISTANCE : 0
TYPE : LAN host
FINGERPRINT : 3908:05B4:40:06:1:1:1:0:A:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS : Windows 98 SE
PORT : TCP 5901 | vnc-1 [RFB 003.008]
==================================================
==================================================
IP address : 192.168.11.113
MAC address : 00:23:54:7F:F2:4F
MANUFACTURER :
DISTANCE : 1
TYPE : LAN host
FINGERPRINT : FFFF:05B4:80:02:1:1:1:0:S:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS : Windows 2000
==================================================
As you can see, there is no password guessed at all.
Thanks a lot for your kindly help.
Posts: 45
Threads: 14
Joined: Jan 2013
I have too some test capture files (.cap and .eci) of SSH and SMB connection. I can upload them if needed.
Posts: 45
Threads: 14
Joined: Jan 2013
And some more data to test: I am now trying with SSL: a connection to GMail website using a test account. I am trying to extract the hash using "ssldump":
Code:
ssldump -r GMailConnection.cap
It gives me lots of data. There are some lines that could be the hash:
Code:
36 148 6.5794 (3.2014) C>S application_data
47 2 1.2720 (0.0953) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
6b 57 35 8a 65 fd 43 62 84 d3 8b 1c b2 45 79 e9
ec f6 af f3 72 6c 0b c5 97 83 59 1c 04 37 3d b7
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
47 3 1.2720 (0.0000) S>C ChangeCipherSpec
47 4 1.2720 (0.0000) S>C Handshake
May I extract the handshake from here?
OCLHashCat-Plus process correctly this hash in -m 1400 (SHA256) type, but it does not find my password ("12345678" again):
Code:
oclhashcat-plus64 -m 1400 6b57358a65fd436284d38b1cb24fdae9ecf6aff3726c0bc59783591c04373db7 -a 3 12345678
I can post the results of ssldump if requested. There are several lines like "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" or "TLS_RSA_WITH_RC4_128_SHA".
Posts: 39
Threads: 2
Joined: Mar 2012
03-21-2013, 01:53 PM
(This post was last modified: 03-21-2013, 01:55 PM by halfie.)
I think your VNC session was using encryption (at least at some point). I can successfully extract the "hash" from your .pcap file and also crack it using JtR-jumbo.
Please use latest versions of JtR-jumbo and Ettercap (from GitHub) for best results
Code:
$ ettercap -Tq -r Chomsky-ThreepWood-VNC-NoEncryption.cap
ettercap 0.7.5.4 copyright 2001-2013 Ettercap Development Team
...
192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf
...
$ cat hash # copy-pasted from above outut
192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf
$ ../run/john hash
Loaded 1 password hash (VNC DES [32/64])
12345678 (192.168.11.110-5901)
As you can see, things do work
Posts: 5,185
Threads: 230
Joined: Apr 2010
You will be able to crack the SMB hashes with the next version of hashcat / oclHashcat
PS: had to edit the topic, it was to long, MyBB was complaining
Posts: 45
Threads: 14
Joined: Jan 2013
03-29-2013, 12:55 PM
(03-21-2013, 02:36 PM)atom Wrote: You will be able to crack the SMB hashes with the next version of hashcat / oclHashcat
That is fine.
So I supposed that the data sent via network for SMB authentication was an LM or NTLM hash, but it seems I was wrong.
Your post is from 21-03-2013, but v0.14 is from 22-03-2013. I have checked "hash types" in v0.14, but there is no one named "SMB". Is the hash in the published version, or you were talking about the next one?
Thanks for the info, Atom.
(03-21-2013, 02:36 PM)atom Wrote: PS: had to edit the topic, it was to long, MyBB was complaining
No problem.
