How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file
#1
Hello all.

Until now I have only tested WPA hashes, and they have been extracted from a airodump-ng's capture file using tshark or aircrack-ng (-J option).
I wanna go one step beyond, and in an effort to undestand and learning a bit of the inners of hash file extraction, I wanna strip (if possible) a real hash from a .cap WireShark's capture file.
I have captured those types of authentication:

- VNC (RealVNC).
- SSH2 (OpenSSH).
- SMB (connection to SAMBA server).

so I would like to know the way of obtaining a single hash from any of those .cap files.
Is there any automation for this task? Or can I copy&paste directly any data from some of the captured package/s?

I have tested EtterCap, TShark and Cain&Abel with no results. None of them seems to give a valid hash string.
Any ideas or URL to check for? I can post .cap files or some of their data if needed.

Thanks you a lot.
#2
Which version of Ettercap are you using?

Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some time back but I might have missed something).

Can you share some .pcap files?
#3
All right, I think I have succeeded in sniffing a SMB hash. I have done it using EtterCap.
This is the command:

Code:
ettercap -T -w dump.cap /OriginIP/ // output: -l logfile

so it yields through screen (checkable too via the logfile using etterlog):

Code:
ACCOUNT : Luis- / Luis-:"":"":FF6D1D6B511167E500000000000000000000000000000000:261B4DFEDB3BBC143D21C4F15BB8299FBA974901C5DB19CC:DD3291B8FA111B98  (192.168.11.113)
      INFO    : DOMAIN: THREEPWOOD
(I have modified the numbers here, of course, so they are not entirely real)
Now, which one of those three numbers separated by ":" should theorically be sent to hashcat?
And what hash type must be specified?

I have heard about NTLM hashes are sent with LM hashes too. And some docs say the hash are MD4, anothers MD5... etc. Furthermore, I remember LM hashes were splitted each 7 corresponding characters of the original password. So I am asking this instead of just running hashcat.
#4
(03-20-2013, 07:01 PM)halfie Wrote: Which version of Ettercap are you using?

This is my version:
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA

(03-20-2013, 07:01 PM)halfie Wrote: Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some time back but I might have missed something).

Mmm... I am capturing a connection to VNC4Server at Ubuntu and EtterCap yields many data, but not the password.

(03-20-2013, 07:01 PM)halfie Wrote: Can you share some .pcap files?

Here you have: it is an ettercap capture:

Code:
sudo ettercap -T -w dump.cap /192.168.11.113/ // output: -l logfile.eci -i eth1

Chomsky (computer one with IP 192.168.11.113 running Windows XP, RealVNC Viewer) connects to ThreepWood (computer two running Ubuntu 12.04, VNC4Server) using password "12345678". Real VNCViewer tells there is no encryption in this connection.
This is the output of EtterLog:

Code:
luis@ThreepWood:~/Temporal/Ettercap$ sudo etterlog Chomsky-ThreepWood-VNC-NoEncryption.eci

etterlog NG-0.7.4.2 copyright 2001-2005 ALoR & NaGA

Log file version    : NG-0.7.4.2
Timestamp           : Wed Mar 20 20:35:20 2013
Type                : LOG_INFO

1766 tcp OS fingerprint
7587 mac vendor fingerprint
2183 known services


==================================================
IP address   : 192.168.11.110

MAC address  : 00:1D:60:13:DF:CB
MANUFACTURER :

DISTANCE     : 0
TYPE         : LAN host

FINGERPRINT      : 3908:05B4:40:06:1:1:1:0:A:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS   : Windows 98 SE

   PORT     : TCP 5901 | vnc-1  [RFB 003.008]


==================================================

==================================================
IP address   : 192.168.11.113

MAC address  : 00:23:54:7F:F2:4F
MANUFACTURER :

DISTANCE     : 1
TYPE         : LAN host

FINGERPRINT      : FFFF:05B4:80:02:1:1:1:0:S:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS   : Windows 2000


==================================================

As you can see, there is no password guessed at all.
#5
(03-20-2013, 07:01 PM)halfie Wrote: Which version of Ettercap are you using?

This is my version:
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA

(03-20-2013, 07:01 PM)halfie Wrote: Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some time back but I might have missed something).

Mmm... I am capturing a connection to VNC4Server at Ubuntu and EtterCap yields many data, but not the password.

(03-20-2013, 07:01 PM)halfie Wrote: Can you share some .pcap files?

Here you have:

https://docs.google.com/file/d/0Bzu9KpPO...sp=sharing

it is an ettercap capture:

Code:
sudo ettercap -T -w dump.cap /192.168.11.113/ // output: -l logfile.eci -i eth1

Chomsky (computer one with IP 192.168.11.113 running Windows XP, RealVNC Viewer) connects to ThreepWood (computer two running Ubuntu 12.04, VNC4Server) using password "12345678". Real VNCViewer tells there is no encryption in this connection.
This is the output of EtterLog:

Code:
luis@ThreepWood:~/Temporal/Ettercap$ sudo etterlog Chomsky-ThreepWood-VNC-NoEncryption.eci

etterlog NG-0.7.4.2 copyright 2001-2005 ALoR & NaGA

Log file version    : NG-0.7.4.2
Timestamp           : Wed Mar 20 20:35:20 2013
Type                : LOG_INFO

1766 tcp OS fingerprint
7587 mac vendor fingerprint
2183 known services


==================================================
IP address   : 192.168.11.110

MAC address  : 00:1D:60:13:DF:CB
MANUFACTURER :

DISTANCE     : 0
TYPE         : LAN host

FINGERPRINT      : 3908:05B4:40:06:1:1:1:0:A:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS   : Windows 98 SE

   PORT     : TCP 5901 | vnc-1  [RFB 003.008]


==================================================

==================================================
IP address   : 192.168.11.113

MAC address  : 00:23:54:7F:F2:4F
MANUFACTURER :

DISTANCE     : 1
TYPE         : LAN host

FINGERPRINT      : FFFF:05B4:80:02:1:1:1:0:S:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST ONE IS   : Windows 2000


==================================================

As you can see, there is no password guessed at all.

Thanks a lot for your kindly help.
#6
I have too some test capture files (.cap and .eci) of SSH and SMB connection. I can upload them if needed.
#7
And some more data to test: I am now trying with SSL: a connection to GMail website using a test account. I am trying to extract the hash using "ssldump":

Code:
ssldump -r GMailConnection.cap

It gives me lots of data. There are some lines that could be the hash:

Code:
36 148 6.5794 (3.2014)  C>S  application_data
47 2  1.2720 (0.0953)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          6b 57 35 8a 65 fd 43 62 84 d3 8b 1c b2 45 79 e9
          ec f6 af f3 72 6c 0b c5 97 83 59 1c 04 37 3d b7
        cipherSuite         TLS_RSA_WITH_RC4_128_SHA
        compressionMethod                   NULL
47 3  1.2720 (0.0000)  S>C  ChangeCipherSpec
47 4  1.2720 (0.0000)  S>C  Handshake
May I extract the handshake from here?
OCLHashCat-Plus process correctly this hash in -m 1400 (SHA256) type, but it does not find my password ("12345678" again):

Code:
oclhashcat-plus64 -m 1400 6b57358a65fd436284d38b1cb24fdae9ecf6aff3726c0bc59783591c04373db7 -a 3 12345678

I can post the results of ssldump if requested. There are several lines like "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" or "TLS_RSA_WITH_RC4_128_SHA".
#8
I think your VNC session was using encryption (at least at some point). I can successfully extract the "hash" from your .pcap file and also crack it using JtR-jumbo.

Please use latest versions of JtR-jumbo and Ettercap (from GitHub) for best results Wink

Code:
$ ettercap -Tq -r Chomsky-ThreepWood-VNC-NoEncryption.cap

ettercap 0.7.5.4 copyright 2001-2013 Ettercap Development Team
...
192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf
...

$ cat hash # copy-pasted from above outut
192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf

$ ../run/john hash
Loaded 1 password hash (VNC DES [32/64])
12345678         (192.168.11.110-5901)

As you can see, things do work Smile
#9
You will be able to crack the SMB hashes with the next version of hashcat / oclHashcat

PS: had to edit the topic, it was to long, MyBB was complaining
#10
Smile 
(03-21-2013, 02:36 PM)atom Wrote: You will be able to crack the SMB hashes with the next version of hashcat / oclHashcat

That is fine.
So I supposed that the data sent via network for SMB authentication was an LM or NTLM hash, but it seems I was wrong.

Your post is from 21-03-2013, but v0.14 is from 22-03-2013. I have checked "hash types" in v0.14, but there is no one named "SMB". Is the hash in the published version, or you were talking about the next one?

Thanks for the info, Atom.

(03-21-2013, 02:36 PM)atom Wrote: PS: had to edit the topic, it was to long, MyBB was complaining

No problem.