Wireshark Finding the Hash of an Uploaded File
How to extract a hash (VNC, SSH2 or SMB) from a WireShark capture file
03-xx-2013, 05:02 PM (This mail was final modified: 03-21-2013, 02:36 PM by atom.)
Hullo all.
Until now I have merely tested WPA hashes, and they have been extracted from a airodump-ng'south capture file using tshark or aircrack-ng (-J selection).
I wanna become i step beyond, and in an effort to undestand and learning a bit of the inners of hash file extraction, I wanna strip (if possible) a real hash from a .cap WireShark's capture file.
I have captured those types of hallmark:
- VNC (RealVNC).
- SSH2 (OpenSSH).
- SMB (connectedness to SAMBA server).
so I would similar to know the way of obtaining a single hash from whatsoever of those .cap files.
Is there any automation for this task? Or tin I copy&paste directly any data from some of the captured parcel/s?
I have tested EtterCap, TShark and Cain&Abel with no results. None of them seems to give a valid hash string.
Any ideas or URL to cheque for? I tin postal service .cap files or some of their data if needed.
Thank you you lot a lot.
Which version of Ettercap are you using?
Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some time back but I might have missed something).
Can you share some .pcap files?
All right, I think I have succeeded in sniffing a SMB hash. I have done information technology using EtterCap.
This is the control:
Code:
ettercap -T -w dump.cap /OriginIP/ // output: -l logfile
so information technology yields through screen (checkable besides via the logfile using etterlog):
Code:
ACCOUNT : Luis- / Luis-:"":"":FF6D1D6B511167E500000000000000000000000000000000:261B4DFEDB3BBC143D21C4F15BB8299FBA974901C5DB19CC:DD3291B8FA111B98 (192.168.11.113)
INFO : DOMAIN: THREEPWOOD
(I accept modified the numbers here, of course, so they are not entirely real)
At present, which one of those 3 numbers separated by ":" should theorically exist sent to hashcat?
And what hash type must be specified?
I have heard well-nigh NTLM hashes are sent with LM hashes too. And some docs say the hash are MD4, anothers MD5... etc. Furthermore, I call back LM hashes were splitted each 7 corresponding characters of the original password. So I am asking this instead of just running hashcat.
(03-20-2013, 07:01 PM)halfie Wrote: Which version of Ettercap are yous using?
This is my version:
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
(03-twenty-2013, 07:01 PM)halfie Wrote: Parsing VNC packets is supported by Ettercap (I fixed the VNC dissector some fourth dimension back but I might have missed something).
Mmm... I am capturing a connexion to VNC4Server at Ubuntu and EtterCap yields many information, but not the password.
(03-twenty-2013, 07:01 PM)halfie Wrote: Can you share some .pcap files?
Here you have: it is an ettercap capture:
Code:
sudo ettercap -T -w dump.cap /192.168.11.113/ // output: -l logfile.eci -i eth1
Chomsky (calculator i with IP 192.168.11.113 running Windows XP, RealVNC Viewer) connects to ThreepWood (reckoner two running Ubuntu 12.04, VNC4Server) using password "12345678". Existent VNCViewer tells there is no encryption in this connexion.
This is the output of EtterLog:
Code:
luis@ThreepWood:~/Temporal/Ettercap$ sudo etterlog Chomsky-ThreepWood-VNC-NoEncryption.eci
etterlog NG-0.vii.4.two copyright 2001-2005 ALoR & NaGA
Log file version : NG-0.7.4.2
Timestamp : Wed Mar 20 20:35:twenty 2013
Type : LOG_INFO
1766 tcp Bone fingerprint
7587 mac vendor fingerprint
2183 known services
==================================================
IP address : 192.168.11.110
MAC address : 00:1D:60:thirteen:DF:CB
MANUFACTURER :
DISTANCE : 0
Blazon : LAN host
FINGERPRINT : 3908:05B4:40:06:i:1:1:0:A:34
OPERATING SYSTEM : unknown fingerprint (please submit it)
NEAREST 1 IS : Windows 98 SE
PORT : TCP 5901 | vnc-ane [RFB 003.008]
==================================================
==================================================
IP address : 192.168.xi.113
MAC address : 00:23:54:7F:F2:4F
MANUFACTURER :
DISTANCE : i
Type : LAN host
FINGERPRINT : FFFF:05B4:eighty:02:one:one:1:0:S:34
OPERATING Organization : unknown fingerprint (please submit it)
NEAREST I IS : Windows 2000
==================================================
As yous can see, there is no password guessed at all.
(03-20-2013, 07:01 PM)halfie Wrote: Which version of Ettercap are you using?
This is my version:
ettercap 0.seven.4.ane copyright 2001-2011 ALoR & NaGA
(03-twenty-2013, 07:01 PM)halfie Wrote: Parsing VNC packets is supported by Ettercap (I stock-still the VNC dissector some fourth dimension dorsum but I might have missed something).
Mmm... I am capturing a connection to VNC4Server at Ubuntu and EtterCap yields many data, but non the password.
(03-20-2013, 07:01 PM)halfie Wrote: Tin can you share some .pcap files?
Here you accept:
https://docs.google.com/file/d/0Bzu9KpPO...sp=sharing
it is an ettercap capture:
Code:
sudo ettercap -T -westward dump.cap /192.168.11.113/ // output: -fifty logfile.eci -i eth1
Chomsky (computer one with IP 192.168.eleven.113 running Windows XP, RealVNC Viewer) connects to ThreepWood (computer two running Ubuntu 12.04, VNC4Server) using password "12345678". Real VNCViewer tells there is no encryption in this connection.
This is the output of EtterLog:
Code:
luis@ThreepWood:~/Temporal/Ettercap$ sudo etterlog Chomsky-ThreepWood-VNC-NoEncryption.eci
etterlog NG-0.vii.4.2 copyright 2001-2005 ALoR & NaGA
Log file version : NG-0.7.iv.2
Timestamp : Wed Mar twenty 20:35:xx 2013
Type : LOG_INFO
1766 tcp Bone fingerprint
7587 mac vendor fingerprint
2183 known services
==================================================
IP address : 192.168.xi.110
MAC accost : 00:1D:60:xiii:DF:CB
MANUFACTURER :
Altitude : 0
TYPE : LAN host
FINGERPRINT : 3908:05B4:40:06:i:1:1:0:A:34
OPERATING Organization : unknown fingerprint (please submit it)
NEAREST I IS : Windows 98 SE
PORT : TCP 5901 | vnc-one [RFB 003.008]
==================================================
==================================================
IP address : 192.168.11.113
MAC address : 00:23:54:7F:F2:4F
MANUFACTURER :
DISTANCE : 1
Blazon : LAN host
FINGERPRINT : FFFF:05B4:80:02:ane:ane:ane:0:S:34
OPERATING SYSTEM : unknown fingerprint (delight submit information technology)
NEAREST ONE IS : Windows 2000
==================================================
As you lot can see, there is no countersign guessed at all.
Thank you a lot for your kindly help.
I take too some exam capture files (.cap and .eci) of SSH and SMB connection. I tin upload them if needed.
And some more data to test: I am now trying with SSL: a connection to GMail website using a examination account. I am trying to extract the hash using "ssldump":
Code:
ssldump -r GMailConnection.cap
It gives me lots of information. In that location are some lines that could be the hash:
Code:
36 148 vi.5794 (3.2014) C>Southward application_data
47 2 i.2720 (0.0953) South>C Handshake
ServerHello
Version iii.one
session_id[32]=
6b 57 35 8a 65 fd 43 62 84 d3 8b 1c b2 45 79 e9
ec f6 af f3 72 6c 0b c5 97 83 59 1c 04 37 3d b7
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod Nada
47 3 1.2720 (0.0000) S>C ChangeCipherSpec
47 four 1.2720 (0.0000) S>C Handshake
May I extract the handshake from here?
OCLHashCat-Plus process correctly this hash in -m 1400 (SHA256) type, but it does not find my countersign ("12345678" again):
Lawmaking:
oclhashcat-plus64 -k 1400 6b57358a65fd436284d38b1cb24fdae9ecf6aff3726c0bc59783591c04373db7 -a 3 12345678
I tin can mail the results of ssldump if requested. There are several lines like "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" or "TLS_RSA_WITH_RC4_128_SHA".
03-21-2013, 01:53 PM (This post was last modified: 03-21-2013, 01:55 PM by halfie.)
I call up your VNC session was using encryption (at least at some betoken). I can successfully extract the "hash" from your .pcap file and as well crack it using JtR-jumbo.
Please use latest versions of JtR-jumbo and Ettercap (from GitHub) for best results 
Lawmaking:
$ ettercap -Tq -r Chomsky-ThreepWood-VNC-NoEncryption.cap
ettercap 0.7.5.4 copyright 2001-2013 Ettercap Development Squad
...
192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf
...
$ cat hash # copy-pasted from above outut
192.168.eleven.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf
$ ../run/john hash
Loaded one password hash (VNC DES [32/64])
12345678 (192.168.eleven.110-5901)
As you can see, things do piece of work 
You will be able to crack the SMB hashes with the next version of hashcat / oclHashcat
PS: had to edit the topic, it was to long, MyBB was complaining
03-29-2013, 12:55 PM
(03-21-2013, 02:36 PM)cantlet Wrote: You will be able to crack the SMB hashes with the next version of hashcat / oclHashcat
That is fine.
And so I supposed that the data sent via network for SMB hallmark was an LM or NTLM hash, but it seems I was incorrect.
Your mail is from 21-03-2013, only v0.fourteen is from 22-03-2013. I take checked "hash types" in v0.14, just there is no 1 named "SMB". Is the hash in the published version, or y'all were talking well-nigh the next i?
Thanks for the info, Cantlet.
(03-21-2013, 02:36 PM)atom Wrote: PS: had to edit the topic, it was to long, MyBB was lament
No problem.
Source: https://hashcat.net/forum/thread-2156.html
0 Response to "Wireshark Finding the Hash of an Uploaded File"
ارسال یک نظر