Brute-Shark: A New Project that extract hashes from PCAP files
#1
Big Grin 
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files).
It can extract hashes of encrypted passwords and convert them to a Hashcat format in order to perform an offline Brute Force attack.
Supported Hashes types this far (more to come): Kerberos, NTLM, CRAM-MD5, HTTP-Digest. 
Brute-Shark can also extract passwords, build a network map, reconst TCP sessions and more.

Check it out! 
https://github.com/odedshimon/BruteShark
Reply
#2
Thanks for sharing.
I knew Pcredz and Net-creds that seem to do the same.
Could you please explain what's new in your soft?
Reply
#3
Hi,
PCredz and Net-Creds are great tools,
but there are several significant differences:

1. Implementation - PCredz and Net-Creds are single file scripts that extract data only from single packets. BruteShark has a complete information analysis layer that able to reconstruct all TCP Sessions, therefore the implementation of the extracting algorithms can be more accurate, including inspecting at both sides of the conversation (for example check the Telnet or NTLM parsers).

2. While PCredz and Net-Creds are scripts that extract credentials, Brute Shark aims to be an all-in-one solution for security researchers with the task of network traffic analysis while they try to identify weaknesses, that includes drawing a network map, reconstruct all TCP Sessions and more.
Imagine you are investigating an attacker performing suspicious activity against FTP Server, I believe you would like to see all the session data In order to understand the essence of the activity.

3. Architecture - BruteShark is implements a pluggable architecture and was built for adding more modules (at this point I’m waiting for ideas and feedbacks), it also has a GUI version.

Please take a look at the code and feel free to contact me with any further questions.
contact.oded.shimon@gmail.com
Reply
#4
Wink 
BruteShark is now capable of extracting also Kerberos tickets (TGS-REP ticket only at this point).
That functionality is in addition to the ability of parsing Kerberos authentication hashes (AS-REQ).
An export option to a Hashcat format was also provided in this version.

Use -m 13100 to crack the TGS Rep Hashes
and -m 7500 to crack authentication hashes (AS-REQ)
Reply
#5

  1. New hash type extraction - Kerberos AS-REP etype 23 (including Hashcat integration - mode: 18200)
Reply
#6
Current version of BruteShark can extract 7 hash types from raw pcap files and export them to a Hashcat input file:




Protocol                  Hash Type        Hascat Mode (-m)
----------------------------------------------------------------
HTTP                     HTTP-Digest           11400     
SMTP\IMAP            CRAM-MD5             16400     
NTLM (e.g. SMB)    NTLMv1                  5500       
NTLM (e.g. SMB)    NTLMv2                  5600       
Kerberos               AS-REQ etype 23      7500       
Kerberos               TGS-REP etype 23    13100     
Kerberos               AS-REP etype 23      18200
Reply
#7
Could you add an option to add multiples cap files, and directly from the shell? like ./bruteshark-cli --add-files *.cap --show-hashes
This will allow your tool to be included into scripts without user interaction.
Reply
#8
Yes, please open an issue at the BruteShark repo and i will take care of it (https://github.com/odedshimon/BruteShark)
Reply