BruteShark: Automating Credential Extraction from Network Captures with .NET Core
Hook
Every unencrypted network packet contains potential credentials, but manually hunting through gigabytes of PCAP files is a forensic analyst's nightmare. BruteShark turns packet captures into actionable credential dumps automatically.
Context
Network forensics traditionally requires analysts to manually filter through packet captures using tools like Wireshark, searching for authentication attempts across dozens of protocols. You'd spend hours writing display filters like http.request.method == "POST" or kerberos.realm, then manually extracting credentials from matched packets. For large breach investigations involving multi-gigabyte PCAP files, this becomes impractical.
BruteShark emerged from this pain point as a Network Forensic Analysis Tool (NFAT) that automates the credential extraction pipeline. Built by Oded Shimon using .NET Core, it processes PCAP/PCAPNG files and live captures to automatically extract credentials from HTTP, FTP, Telnet, IMAP, SMTP, Kerberos, NTLM, and other protocols—then outputs them in formats compatible with Hashcat for offline cracking. Beyond credential extraction, it reconstructs TCP sessions, carves files from network streams, extracts VoIP calls, and generates network topology graphs. The tool bridges the gap between passive packet analysis and active security assessment, giving penetration testers and incident responders a force multiplier for post-capture analysis.
Technical Insight
BruteShark's architecture separates concerns into three layers: a packet processing engine, protocol-specific analyzers, and output modules. At its core, it uses SharpPcap (a .NET wrapper for libpcap/WinPcap) and PacketDotNet for packet parsing. The modular design allows you to enable only the analyzers you need, which matters when processing multi-gigabyte captures.
The credential extraction pipeline works through protocol-specific modules that inherit from a common IModule interface. Each module registers for specific protocols, receives parsed packets, and extracts authentication data. Here's a simplified example of how the HTTP analyzer extracts basic authentication credentials:
public class HttpModule : IModule
{
public void Analyze(TcpPacket tcpPacket, TcpSession session)
{
var httpPacket = HttpPacket.Parse(tcpPacket);
if (httpPacket.ContainsHeader("Authorization"))
{
var authHeader = httpPacket.Headers["Authorization"];
if (authHeader.StartsWith("Basic "))
{
var encodedCredentials = authHeader.Substring(6);
var decoded = Base64Decode(encodedCredentials);
var parts = decoded.Split(':');
var credential = new NetworkCredential
{
Protocol = "HTTP Basic",
Username = parts[0],
Password = parts.Length > 1 ? parts[1] : "",
Source = session.SourceIP,
Destination = session.DestinationIP
};
CredentialStore.Add(credential);
}
}
}
}
The Kerberos module is more sophisticated, extracting AS-REQ and TGS-REQ packets to dump hashes in formats like $krb5pa$23$user$realm$salt$hash that Hashcat can crack directly. This integration with offensive security tools makes BruteShark particularly valuable for red team engagements—you capture traffic during a penetration test, extract Kerberos hashes, and feed them to your GPU-accelerated cracking rig.
Session reconstruction leverages TCP stream reassembly to rebuild complete application-layer conversations. BruteShark maintains a dictionary of active TCP sessions keyed by socket pairs (source IP/port, destination IP/port). As packets arrive, it buffers segments in sequence number order, handles retransmissions, and triggers protocol analyzers when sessions complete. This approach enables file carving—extracting files transferred over FTP, HTTP, or SMB—and VoIP call reconstruction from SIP/RTP streams.
The network mapping feature generates graph data exportable to Neo4j, creating visual representations of network topology. It identifies hosts, maps open ports, extracts domain relationships from Kerberos and NTLM traffic, and builds a property graph model. For incident response, this visualization quickly answers questions like "Which domain accounts authenticated to which servers?" or "What lateral movement paths existed during the breach window?"
BruteShark ships with both a Windows GUI (BruteSharkDesktop) built on WPF and a cross-platform CLI (BruteSharkCli). The CLI is particularly useful for automation:
# Extract all credentials and export to Hashcat format
BruteSharkCli -f capture.pcap -m Credentials,Hashes -o results/
# Process multiple files with network mapping
BruteSharkCli -d /pcaps/ -m NetworkMap,FileCarving -neo4j bolt://localhost:7687
# Live capture on interface eth0 (requires elevated privileges)
BruteSharkCli -i eth0 -m Credentials --duration 300
The modular architecture means you can extend BruteShark with custom protocol analyzers. If your organization uses proprietary authentication protocols or you want to extract specific application data, you implement the IModule interface, register your analyzer, and it integrates seamlessly with the packet processing pipeline.
Gotcha
BruteShark's biggest limitation is resource consumption during TCP session reconstruction. Processing a 10GB PCAP file with full session reassembly can consume 16GB+ of RAM because it buffers incomplete sessions in memory. For enterprise-scale captures spanning days of traffic, you'll need to either disable session reconstruction, split files into smaller chunks, or run on high-memory systems. The tool doesn't implement intelligent session eviction strategies like time-based expiry of idle connections, which would help with long-running captures.
The Windows GUI requires specific runtime dependencies—.NET Core Desktop Runtime and Npcap driver installation—which creates friction in enterprise environments with locked-down workstations. The Npcap driver requirement particularly causes issues since it needs administrator privileges and can conflict with existing WinPcap installations. For cross-platform work, the CLI is more reliable but lacks the visualization features of the GUI, forcing you to export to external tools like Neo4j for graph analysis.
Credential extraction is inherently limited to cleartext or weakly-obfuscated protocols. While BruteShark excels at extracting HTTP Basic Auth, FTP, Telnet, and protocol hashes (Kerberos, NTLM), it can't help with modern TLS-encrypted traffic unless you have the private keys for decryption. In contemporary networks where HTTPS dominates, you'll find fewer actionable credentials than in legacy environments. The tool also doesn't perform active decryption attacks or SSL stripping—it's purely passive analysis.
Verdict
Use BruteShark if you're conducting network forensics investigations, performing post-engagement analysis of penetration test captures, or need to quickly identify authentication weaknesses across multiple protocols in captured traffic. It's particularly valuable for red team operators who want automated credential extraction integrated with Hashcat, incident responders analyzing breach artifacts, or security researchers studying authentication patterns in network protocols. The combination of credential extraction, session reconstruction, and network visualization makes it a Swiss Army knife for packet-based investigations. Skip it if you're working primarily with modern TLS-encrypted traffic (use SSL/TLS interception proxies instead), need real-time streaming analysis at enterprise scale (look at Moloch/Arkime or commercial SIEM solutions), only require basic packet inspection (Wireshark is more mature), or want active network attack capabilities rather than passive forensic analysis (Bettercap or Responder are better fits). Also skip if you're resource-constrained—processing large captures demands significant CPU and RAM.
