No installation packet capture — you might get credentials too!

This is for educational purposes only. If you don’t own it, don’t pwn it.

I learned about this technique in Peter Kim’s “The hacker playbook” series (great books) but it only devoted a few paragraphs to this so I decided to create this a walk though with plenty of pictures.

I’m using my RebelAdmin\Helpdesk account in my lab for this scenario. That account is an admin on several desktops in my lab. I’ll run “whoami” and “net localgroup administrators” commands to verify I’m in the admin group.

I start the trace with this command run in an administrator command prompt. “netsh trace start capture=yes overwrite=no tracefile=C:\Users\Public\sniff.etl”

At this point you can let it run for a while. As you can see above, the default max size is 250mb. I’ll stop the trace when I’m ready to look at the results.

Here is the output of the network trace on disk:

On another machine, that I own, I have to install Microsoft Message Analyzer to convert it. I got Microsoft Message Analyzer here: . I took the default values on the installation.

After it is installed, I transfer the Public.ETL file to my machine with Microsoft Message Analyzer on it. The whole point is I didn’t need any tools to get packet capture on the target machine.

I copy the sniff.etl file to my “c:\users\public\sniff.etl” folder. I’m loading the file in Microsoft Message Analyzer and I’ll covert it in the UI to a .CAP file format.

I want to save it as a .CAP file extension.

Here is the output

At this point I can read it in WireShark. However, I want to convert it to a pcap file that net-creds can use to search for credentials! I need to install an old version of wireshark to do this. The new versions don’t have the conversions available. I’m using version WireShark Portable version 1.6.8. which does work for me.

Once Wireshark portable 1.6.8 is ready, I open the CAP file and I’ll perform a “save as” and select the PCAP extension.

I’ll install Net-Creds on my Kali box and transfer the PCAP file to my machine

git clone “"

Now I can run net-creds. Here is the command:


If you are lucky you may find some clear text creds or some hashes. I had fun learning this. Feel free to follow me on twitter at @_markmo_ (yes with the underscores). I like to share what I learn.