Date: Fri, 16 Nov 2012 21:52:00 +0100 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: cracking passwords with a kerberos traffic dump On 16 Nov, 2012, at 17:03 , Dhiru Kholia <dhiru.kholia@...il.com> wrote: > On Fri, Nov 16, 2012 at 4:27 AM, buawig <buawig@...il.com> wrote: >> I loaded the pcap file into cain but nothing showed up in the MS >> Kerberos5 PreAuth section. >> Yes, I inspected the pcap file with wireshark and in the AS-REP packet I >> see the enc-part rc4-hmac but the actual value is a lot longer than the >> sample in mskrb5_fmt_plug.c:24 >> and I wouldn't know where I can find the 'checksum' value. > > What is the value of "Encryption type" when you view the AS-REQ packet > in Wireshark? > > On my setup (which is using default values) it is 18 > (aes256-cts-hmac-sha1-96 is being used). > > We might need to implement http://www.packetizer.com/rfc/rfc3962/ in JtR. That reminds me of our recent (currently only in git) krb5-18 format submitted by Camille Mougey. You need to uncomment HAVE_KRB5 in Makefile to build it (and you need libkrb5-dev installed). We also have krb5-23 by the same author. That is arcfour-hmac. Tools are included too - see doc/README-krb5-18-23 for instructions. Apparently both these would attack a dumped realm database though - not sniffed data. fwiw, magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.