How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file
#11
(03-21-2013, 01:53 PM)halfie Wrote: I think your VNC session was using encryption (at least at some point). I can successfully extract the "hash" from your .pcap file and also crack it using JtR-jumbo.

Please use latest versions of JtR-jumbo and Ettercap (from GitHub) for best results Wink

I am trying to install Ettercap latest build (seems to be 2013 updated) from their site:

https://github.com/Ettercap/ettercap

I have errors during compiling, even after a while updating libraries and so on. I will keep trying, but meanwhile, could you please tell me what was your version of Ettercap?
This is the mine, the latest one from Ubuntu repositories (I have tested BackTrack v5R3, The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux v1.0 and Ubuntu 12.04 LTS):

Code:
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
#12
Wefffff.... I finally did it: installed EtterCap latest version. It has been a bit hard: Ettercap seems to be very updated, so several libraries and programs (CURL, for example) need to be in the latest version.

I have checked what you say, halfie. You were right. Now I can capture VNC hashes. Thanks a lot:

Code:
luis@VirtUbuntu:~/Temporal/Ettercap$ more PruebaVNC.txt
192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf

So, now that I have this hash, how should I attack it? I made this tests (assuming VNC is a DES -m 1500 hash type):

Code:
PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 .\PruebaVNC.txt
WARNING: Hashfile '.\PruebaVNC.txt' in line 1 (192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf): Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 "f:\Crackeoen Proceso\Pruebas\VNC\PruebaVNC-Modificado.txt" --username
WARNING: Hashfile 'f:\Crackeo en Proceso\Pruebas\VNC\PruebaVNC-Modificado.txt' in line 1 (*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf): Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf'
WARNING: Hash '*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834c
f': Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '*a5d62a6cd58f41abe8785a4485811aac'
WARNING: Hash '*a5d62a6cd58f41abe8785a4485811aac': Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '*248d3290ce533f028613f092f25834cf'
WARNING: Hash '*248d3290ce533f028613f092f25834cf': Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 '248d3290ce533f028613f092f25834cf'
WARNING: Hash '248d3290ce533f028613f092f25834cf': Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 'a5d62a6cd58f41abe8785a4485811aac'
WARNING: Hash 'a5d62a6cd58f41abe8785a4485811aac': Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 'a5d62a6cd58
f41abe8785a4485811aac:248d3290ce533f028613f092f25834cf'
WARNING: Hash 'a5d62a6cd58f41abe8785a4485811aac:248d3290ce533f028613f092f25834cf': Line-length exception
ERROR: No hashes loaded

PS F:\Crackeo en Proceso\Pruebas\VNC> oclHashcat-plus64.exe -m 1500 'a5d62a6cd58f41abe8785a4485811aac248d3290ce533f028613f092f25834cf'
WARNING: Hash 'a5d62a6cd58f41abe8785a4485811aac248d3290ce533f028613f092f25834cf'
: Line-length exception
ERROR: No hashes loaded
I was suspecting this would not work, because, as far as I know, the data extracted by Ettercap should be a challenge-response pair, and maybe this is not the same as the hash.
So, even when we can crack (or try to) this hash using John the Ripper (only with Jumbo version, thanks again) I think the initial question is still on the air:
How can I extract the (in this case) VNC hash from a .pcap (WireShark) capture file for use in OCLHashCat-Plus?
#13
VNC hashes are DEScrypt? I doubt that. DEScrypt does not have a "challenge-response" mechanism.
#14
it's not descrypt, no. the challenge is bit-flipped and encrypted with a single round of des.

https://raw.github.com/magnumripper/John...fmt_plug.c

http://www.vidarholen.net/contents/junk/VNCEncrypt.java