Date: Fri, 16 Nov 2012 22:51:55 +0100 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: cracking passwords with a kerberos traffic dump On 15 Nov, 2012, at 23:57 , buawig <buawig@...il.com> wrote: >> Unless I misunderstand the "windows domain" part of what you say >> above, you should use the mskrb5 format. >> Even though I am the author >> of that format I actually do not remember what tool would be best for >> converting a pcap file to a usable input file. Perhaps Cain does >> that. > > I loaded the pcap file into cain but nothing showed up in the MS > Kerberos5 PreAuth section. But you did sniff a windows client logging on to the Microsoft AD, or did you not? >> Or maybe I just copy/pasted stuff from Ethereal. > > Yes, I inspected the pcap file with wireshark and in the AS-REP packet I > see the enc-part rc4-hmac but the actual value is a lot longer than the > sample in mskrb5_fmt_plug.c:24 > and I wouldn't know where I can find the 'checksum' value. Here's an article that I referenced in the mskrb5 source code: http://www.securiteam.com/windowsntfocus/5BP0H0A6KM.html There's a link to code that can dump the pre-auth data. It would need to be modified to include username to be really useful (but it's not needed for cracking - only the 16 byte checksum and 36 byte timestamp is). magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.