Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Nov 2012 22:51:55 +0100
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking passwords with a kerberos traffic dump

On 15 Nov, 2012, at 23:57 , buawig <buawig@...il.com> wrote:
>> Unless I misunderstand the "windows domain" part of what you say
>> above, you should use the mskrb5 format.
>> Even though I am the author
>> of that format I actually do not remember what tool would be best for
>> converting a pcap file to a usable input file. Perhaps Cain does
>> that. 
> 
> I loaded the pcap file into cain but nothing showed up in the MS
> Kerberos5 PreAuth section.

But you did sniff a windows client logging on to the Microsoft AD, or did you not?

>> Or maybe I just copy/pasted stuff from Ethereal. 
> 
> Yes, I inspected the pcap file with wireshark and in the AS-REP packet I
> see the enc-part rc4-hmac but the actual value is a lot longer than the
> sample in mskrb5_fmt_plug.c:24
> and I wouldn't know where I can find the 'checksum' value.

Here's an article that I referenced in the mskrb5 source code:
http://www.securiteam.com/windowsntfocus/5BP0H0A6KM.html

There's a link to code that can dump the pre-auth data. It would need to be modified to include username to be really useful (but it's not needed for cracking - only the 16 byte checksum and 36 byte timestamp is).

magnum

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.