Posts: 6
Threads: 1
Joined: May 2020
05-03-2020, 12:45 AM
(This post was last modified: 05-04-2020, 12:31 AM by BruteShark.
Edit Reason: Add some info
)
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files).
It can extract hashes of encrypted passwords and convert them to a Hashcat format in order to perform an offline Brute Force attack.
Supported Hashes types this far (more to come): Kerberos, NTLM, CRAM-MD5, HTTP-Digest.
Brute-Shark can also extract passwords, build a network map, reconst TCP sessions and more.
Check it out!
https://github.com/odedshimon/BruteShark
Posts: 803
Threads: 135
Joined: Feb 2011
Thanks for sharing.
I knew Pcredz and Net-creds that seem to do the same.
Could you please explain what's new in your soft?
Posts: 6
Threads: 1
Joined: May 2020
Hi,
PCredz and Net-Creds are great tools,
but there are several significant differences:
1. Implementation - PCredz and Net-Creds are single file scripts that extract data only from single packets. BruteShark has a complete information analysis layer that able to reconstruct all TCP Sessions, therefore the implementation of the extracting algorithms can be more accurate, including inspecting at both sides of the conversation (for example check the Telnet or NTLM parsers).
2. While PCredz and Net-Creds are scripts that extract credentials, Brute Shark aims to be an all-in-one solution for security researchers with the task of network traffic analysis while they try to identify weaknesses, that includes drawing a network map, reconstruct all TCP Sessions and more.
Imagine you are investigating an attacker performing suspicious activity against FTP Server, I believe you would like to see all the session data In order to understand the essence of the activity.
3. Architecture - BruteShark is implements a pluggable architecture and was built for adding more modules (at this point I’m waiting for ideas and feedbacks), it also has a GUI version.
Please take a look at the code and feel free to contact me with any further questions.
contact.oded.shimon@gmail.com
Posts: 6
Threads: 1
Joined: May 2020
08-02-2020, 12:44 AM
BruteShark is now capable of extracting also Kerberos tickets (TGS-REP ticket only at this point).
That functionality is in addition to the ability of parsing Kerberos authentication hashes (AS-REQ).
An export option to a Hashcat format was also provided in this version.
Use -m 13100 to crack the TGS Rep Hashes
and -m 7500 to crack authentication hashes (AS-REQ)
Posts: 6
Threads: 1
Joined: May 2020
- New hash type extraction - Kerberos AS-REP etype 23 (including Hashcat integration - mode: 18200)
Posts: 6
Threads: 1
Joined: May 2020
12-01-2020, 03:37 AM
(This post was last modified: 12-01-2020, 03:46 AM by BruteShark.)
Current version of BruteShark can extract 7 hash types from raw pcap files and export them to a Hashcat input file:
Protocol Hash Type Hascat Mode (-m)
----------------------------------------------------------------
HTTP HTTP-Digest 11400
SMTP\IMAP CRAM-MD5 16400
NTLM (e.g. SMB) NTLMv1 5500
NTLM (e.g. SMB) NTLMv2 5600
Kerberos AS-REQ etype 23 7500
Kerberos TGS-REP etype 23 13100
Kerberos AS-REP etype 23 18200
Posts: 803
Threads: 135
Joined: Feb 2011
Could you add an option to add multiples cap files, and directly from the shell? like ./bruteshark-cli --add-files *.cap --show-hashes
This will allow your tool to be included into scripts without user interaction.
Posts: 6
Threads: 1
Joined: May 2020
Yes, please open an issue at the BruteShark repo and i will take care of it (
https://github.com/odedshimon/BruteShark)
