Brute-Shark: A New Project that extract hashes from PCAP files
#1
Big Grin 
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files).
It can extract hashes of encrypted passwords and convert them to a Hashcat format in order to perform an offline Brute Force attack.
Supported Hashes types this far (more to come): Kerberos, NTLM, CRAM-MD5, HTTP-Digest. 
Brute-Shark can also extract passwords, build a network map, reconst TCP sessions and more.

Check it out! 
https://github.com/odedshimon/BruteShark
Reply
#2
Thanks for sharing.
I knew Pcredz and Net-creds that seem to do the same.
Could you please explain what's new in your soft?
Reply
#3
Hi,
PCredz and Net-Creds are great tools,
but there are several significant differences:

1. Implementation - PCredz and Net-Creds are single file scripts that extract data only from single packets. BruteShark has a complete information analysis layer that able to reconstruct all TCP Sessions, therefore the implementation of the extracting algorithms can be more accurate, including inspecting at both sides of the conversation (for example check the Telnet or NTLM parsers).

2. While PCredz and Net-Creds are scripts that extract credentials, Brute Shark aims to be an all-in-one solution for security researchers with the task of network traffic analysis while they try to identify weaknesses, that includes drawing a network map, reconstruct all TCP Sessions and more.
Imagine you are investigating an attacker performing suspicious activity against FTP Server, I believe you would like to see all the session data In order to understand the essence of the activity.

3. Architecture - BruteShark is implements a pluggable architecture and was built for adding more modules (at this point I’m waiting for ideas and feedbacks), it also has a GUI version.

Please take a look at the code and feel free to contact me with any further questions.
contact.oded.shimon@gmail.com
Reply
#4
Wink 
BruteShark is now capable of extracting also Kerberos tickets (TGS-REP ticket only at this point).
That functionality is in addition to the ability of parsing Kerberos authentication hashes (AS-REQ).
An export option to a Hashcat format was also provided in this version.

Use -m 13100 to crack the TGS Rep Hashes
and -m 7500 to crack authentication hashes (AS-REQ)
Reply