Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <50A5736B.7070702@gmail.com>
Date: Thu, 15 Nov 2012 23:57:47 +0100
From: buawig <buawig@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking passwords with a kerberos traffic dump

Hi magnum,

thanks for your fast reply!

> Unless I misunderstand the "windows domain" part of what you say
> above, you should use the mskrb5 format.


> Even though I am the author
> of that format I actually do not remember what tool would be best for
> converting a pcap file to a usable input file. Perhaps Cain does
> that. 

I loaded the pcap file into cain but nothing showed up in the MS
Kerberos5 PreAuth section.

> Or maybe I just copy/pasted stuff from Ethereal. 

Yes, I inspected the pcap file with wireshark and in the AS-REP packet I
see the enc-part rc4-hmac but the actual value is a lot longer than the
sample in mskrb5_fmt_plug.c:24
and I wouldn't know where I can find the 'checksum' value.

> Perhaps
> someone should write a pcap2mskrb5 tool...

That would be awesome :)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.