Wednesday, April 9, 2014

Breaking MSFT Kerberos With Responder

I've been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.
(click on the pics if they don't display correctly).

Often you see these requests in wireshark on an internal penetration test:

So I came up with a tool that automates kerberos' connection for these:

Which shows up like this in Wireshark:

Here's how the attack works :
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:
and wait for the Kerberos AS-REQ on UDP 88.

Responder will then take care of the hash parsing and formating:

 And will make it ready for hashcat (-m 7500):

This will be included in the next release of Responder (

Game over MSKerberosV5.

Tuesday, April 8, 2014

Introducing PCredz

PCredz was built to extract credentials from large pcap files or from a live interface.


Stats on juicy pcap files:
- 30 mo pcap file : 15s
- 500mo pcap file: 1.5 minutes
- 2 Go pcap file: 7 minutes.


  • Extract from a pcap file or from a live interface:
    • Credit card numbers
    • POP
    • SMTP
    • IMAP
    • SNMP community string
    • FTP
    • HTTP Basic
    • NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP, MSSQL, HTTP, etc)
    • Kerberos (AS-REQ Pre-Auth etype 2#) hashes.
  • All hashes are displayed in a hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).
  • Log all credentials to a file (CredentialDump-Session.log).


  • Linux:
On a debian based OS: apt-get install python-libpcap
  • Os X and other distributions:
tar xvf pylibpcap-0.6.4.tar.gz
cd pylibpcap-0.6.4
python install


./Pcredz -f file-to-parse.pcap
./Pcredz -d /tmp/pcap-directory-to-parse/
./Pcredz -i eth0
-h, --help show this help message and exit
-f capture.pcap Pcap file to parse
-d /home/pnt/pcap/ Pcap directory to parse recursivly
-i eth0 interface for live capture
-v More verbose.

You can download PCredz here: