Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs
PCAP Analysis
Note the existence of KRB5
protocol traffic on tcp/88
, which is further identified as AS-REQ
data. If we inspect the application layer data in the packets, we can see details such as username, domain info, etc. We should be able to carve this data out of the packet.
Using NetworkMiner on Kali
# Install mono as this is a Windows binary
sudo apt install -y mono-devel
# Download the latest free version
wget https://www.netresec.com/?download=NetworkMiner -O ./nm.zip
unzip nm.zip
mono NetworkMiner_2-8-1/NetworkMiner.exe --noupdatecheck
Once the program is launched, open the PCAP file.
Right-click the password hash and choose copy password. Paste the contents into a file and crack with hashcat
or john
.
nano krb_hash
john --wordlist=rockyou.txt krb_hash
References
Extracting Kerberos Credentials from PCAP (netresec.com)