This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
License: GNU General Public License v3.0
Hi,
As python2 is EOL in 2020, is a python3 port planned?
Regards,
David
Does it make sence adding support for hcxdumptool output files? It doesn't require MITM. Among capturing handshakes, it also captures unecrypted packets. I'm unsure though if they are usefull for your tool.
And, please, change #! /usr/bin/env python to #! /usr/bin/env python2 - your tool is python2 only.
Hi there,
I have recently been seeing an issue I am having trouble resolving when running PCredz:
Traceback (most recent call last):
File "./Pcredz", line 757, in
Run()
File "./Pcredz", line 750, in Run
decode_file(fname,'')
File "./Pcredz", line 651, in decode_file
p = pcap.pcapObject()
AttributeError: 'module' object has no attribute 'pcapObject'
I have pylibpcap installed and have removed libpcap has i understand they don't play well together?:
Requirement already satisfied: pylibpcap in /usr/local/lib/python2.7/dist-packages (0.6.4)
Any assistance is appreciated whilst I figure this one out
It looks like the Dockerfile is named dockerfile with a lowercase "d". Docker is case-sensitive, and it expects the file to be named exactly Dockerfile with an uppercase "D".
To fix this, you can either rename your existing Dockerfile to Dockerfile using the following command:
bash
mv dockerfile Dockerfile
Hey, I captured an SMB authentication, but PCredz doesn't detect it. I'll send it by mail.
You are importing 'string' in line 7, but it is never used.
I saw this posted, was thinking that pcredz would do this easily enough, too, since we're already getting caps from elsewhere.
I am trying to test #47 on a not Kali box, but I cannot get PCredz to even run due to it claiming libpcap is not installed. I attempted previous closed issue fixes, but couldn't get anything to work. I downloaded this Ubuntu image today and updated it.
Let me know if you have any ideas or want me to retest.
On the latest Kali build, apt is reporting that python-libpcap does not exist. Also attempts to install it from the sourceforge link provided by the error message when trying to run PCredz fails. Is there an alternative or can PCredz be updated to use another pcap parsing library?
Hello, system i am using kali linux 2.0 amd64:
root@kali:~/PCredz# apt-get remove python-pypcap && apt-get install python-libpcap
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'python-pypcap' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-libpcap is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
When I run it
root@kali:~/PCredz# ./Pcredz -i wlan0
Pcredz 1.0.0
Author: Laurent Gaffie
Please send bugs/comments/pcaps to: [email protected]
This script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.
CC number scanning activated
Traceback (most recent call last):
File "./Pcredz", line 681, in
Run()
File "./Pcredz", line 676, in Run
decode_file(fname,'')
File "./Pcredz", line 584, in decode_file
p = pcap.pcapObject()
AttributeError: 'module' object has no attribute 'pcapObject!!!
Thanks
pcredz is writing a log file in /usr/sbin. It should log it somewhere else, like /var/log, use syslog, or logging to a file should be an option, since it seems to write the same data to stdout and to the log file.
bduncan@ltw3701:~$ pcredz -i eth0
Pcredz 0.9
Author: Laurent Gaffie
Please send bugs/comments/pcaps to: [email protected]
This script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.
Traceback (most recent call last):
File "/usr/sbin/pcredz", line 81, in
l.addHandler(logging.FileHandler(Filename,'a'))
File "/usr/lib/python2.7/logging/init.py", line 911, in init
StreamHandler.init(self, self._open())
File "/usr/lib/python2.7/logging/init.py", line 936, in _open
stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/usr/sbin/CredentialDump-Session.log'
:( 1 bduncan@ltw3701:~$
Thanks,
Bruce
Hi. I was trying to install on Kali Linux 2020.2 and ran the install as suggested.
sudo apt install python3-pip && pip3 install Cython && pip3 install python-libpcap
However, I was getting the following error I included below.
I was able to solve by installing libpcap-dev.
sudo apt install libpcap-dev
FYI in case others run into the issue.
Building wheel for python-libpcap (setup.py) ... error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"'; file='"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-l7d1cm3m
cwd: /tmp/pip-install-mg382xue/python-libpcap/
Complete output (34 lines):
running bdist_wheel
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.8
creating build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/utils.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/command.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/pcap.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/main.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/open.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/init.py -> build/lib.linux-x86_64-3.8/pylibpcap
running egg_info
writing python_libpcap.egg-info/PKG-INFO
writing dependency_links to python_libpcap.egg-info/dependency_links.txt
writing entry points to python_libpcap.egg-info/entry_points.txt
writing requirements to python_libpcap.egg-info/requires.txt
writing top-level names to python_libpcap.egg-info/top_level.txt
reading manifest file 'python_libpcap.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching '.h' under directory 'src'
warning: no previously-included files matching '.pyc' found anywhere in distribution
writing manifest file 'python_libpcap.egg-info/SOURCES.txt'
copying pylibpcap/base.c -> build/lib.linux-x86_64-3.8/pylibpcap
running build_ext
building 'pylibpcap.base' extension
creating build/temp.linux-x86_64-3.8
creating build/temp.linux-x86_64-3.8/pylibpcap
x86_64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.8 -c pylibpcap/base.c -o build/temp.linux-x86_64-3.8/pylibpcap/base.o -lpcap
pylibpcap/base.c:622:10: fatal error: pcap.h: No such file or directory
622 | #include "pcap.h"
| ^~~~~~~~
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
ERROR: Failed building wheel for python-libpcap
Running setup.py install for python-libpcap ... error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"'; file='"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-ua36ifxi/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/python-libpcap
cwd: /tmp/pip-install-mg382xue/python-libpcap/
Complete output (34 lines):
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.8
creating build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/utils.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/command.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/pcap.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/main.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/open.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/init.py -> build/lib.linux-x86_64-3.8/pylibpcap
running egg_info
writing python_libpcap.egg-info/PKG-INFO
writing dependency_links to python_libpcap.egg-info/dependency_links.txt
writing entry points to python_libpcap.egg-info/entry_points.txt
writing requirements to python_libpcap.egg-info/requires.txt
writing top-level names to python_libpcap.egg-info/top_level.txt
reading manifest file 'python_libpcap.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching '.h' under directory 'src'
warning: no previously-included files matching '.pyc' found anywhere in distribution
writing manifest file 'python_libpcap.egg-info/SOURCES.txt'
copying pylibpcap/base.c -> build/lib.linux-x86_64-3.8/pylibpcap
running build_ext
building 'pylibpcap.base' extension
creating build/temp.linux-x86_64-3.8
creating build/temp.linux-x86_64-3.8/pylibpcap
x86_64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.8 -c pylibpcap/base.c -o build/temp.linux-x86_64-3.8/pylibpcap/base.o -lpcap
pylibpcap/base.c:622:10: fatal error: pcap.h: No such file or directory
622 | #include "pcap.h"
| ^~~~~~~~
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
ERROR: Command errored out with exit status 1: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"'; file='"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-ua36ifxi/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/python-libpcap Check the logs for full command output.
PCredz does not support IPv6 traffic, and will silently ignore any that's present on the interface or in any imported pcap files.
On an IPv6-only or dual stack network, modern operating systems will use IPv6 in preference to any legacy protocols, so all legitimate traffic would be using this protocol.
This occurs because the Print_Packet_* functions explicitly check for the legacy IPv4 ether type (0x0800) and ignore anything else:
if data[12:14]== b'\x08\x00':
This is then passed to the function Decode_Ip_Packet which extracts the src/destination address from the packet header. It then returns the packet payload (ie starting from TCP/UDP header).
The attached patch also checks for the IPv6 ether type (0x86dd) and passes it to a separate function Decode_Ipv6_Packet that handles an IPv6 header. The higher level TCP/UDP payloads remain the same on IPv6 so execution continues after parsing the header and returning the correct start of the payload.
So far this only works with a standard 40 byte IPv6 header, it does not properly check the next-header field so it would fail if there are optional extension headers present (rare).
Instead of using a separate function for IPv6, it may be preferable to use a single function and then check the version field of the header and act accordingly.
I am not used to using Linux, what should I do to use it on windows.
Hello,
When i use your script on a capture .pcap, i have an "error" Can't parse ch1.pcap.
Is It normal?
gudbes@PC:~/PCredz$ ./Pcredz -f ch1.pcap -v
Pcredz 1.0.0
Author: Laurent Gaffie
Please send bugs/comments/pcaps to: [email protected]
This script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.
CC number scanning activated
Can't parse ch1.pcap
ch1.pcap parsed in: 0.0404 seconds (File size 0.269 Mo).
I've ran it on interface without assigned IP address and got following exception:
root@probe1:~/PCredz# ./Pcredz -i eth1 -t -v
Pcredz 1.0.0
Author: Laurent Gaffie
Please send bugs/comments/pcaps to: [email protected]
This script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.CC number scanning activated
Traceback (most recent call last):
File "./Pcredz", line 705, in
Run()
File "./Pcredz", line 700, in Run
decode_file(fname,'')
File "./Pcredz", line 609, in decode_file
net, mask = pcap.lookupnet(interface)
Exception: [Error 99] eth1: no IPv4 address assigned
It works fine if you comment out line 609 (those variables aren't used at all).
Hi,
I wonder if NTLM hashes for SMTP authentication could be supported by PCredz. If so, I have some research done over your tool using your function "ParseNTLMHash". It works manually perfectly but I didn't automatize it within the tool pcap analysis. NTLM authentication is widely used by SMTP and I think it would be interesting. This feature requires very low R&D since all needed is already developed and is very similar to HTTP NTLM authentication that you've already support for it.
Please let me know if you want me to help to develop the feature or PR.
Regards.
└─$ sudo python3 ./Pcredz -i eth0 -v
libpcap not installed.
try : apt install python3-pip && pip3 install Cython && pip3 install python-libpcap
└─$ sudo apt install python3-pip && pip3 install Cython && pip3 install python-libpcap
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
python3-pip is already the newest version (20.3.4-1).
The following packages were automatically installed and are no longer required:
libxml-dom-perl libxml-perl libxml-regexp-perl
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1478 not upgraded.
Requirement already satisfied: Cython in /usr/lib/python3/dist-packages (0.29.21)
Requirement already satisfied: python-libpcap in /home/pentester/.local/lib/python3.8/site-packages (0.4.0)
Requirement already satisfied: Cython>=0.29.13 in /usr/lib/python3/dist-packages (from python-libpcap) (0.29.21)
I ran the script once and got a nice dump of output, I then ran it again to send the output to a file, when I checked the file it only had the script headers in it, no data. I tried a few times and didn't get any output.
I then noticed the session log file and found that contained all my data and after fiddling realised that you don't output anything that is already cached in the file. This causes a couple of problems:
Sorry to put these all in one ticket, I'll break them out into multiple if you want so that you can track or respond to each one separately.
Hey! I was wondering if there's any chance you could also add support to extract Kerberos AES-256 hashes (type 17) as well? Most of the environments I encounter have Windows domains that are passing these newer hashes rather than the older RC4 ones.
Thanks!
We are reviewing your tool and had some challenges finding the license. Can you put up a license file?
Greetings,
First of all, thank you for this tool.
Do you think it would be possible to modify the logfile location ? or make it customisable ? The current location is the main script location and it doesn't pair good with system such as NixOS where this location is marked as read only, wouldn't the home directory be a better place maybe ?
Regards.
The latest update to python-libpcap in debian (and kali) has broken pcredz. 😕
Not sure who maintains the package or when/if it will get fixed.
apt-get remove python-pypcap && apt-get install python-libpcap
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'python-pypcap' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
python-libpcap
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 0 B/25.2 kB of archives.
After this operation, 89.1 kB of additional disk space will be used.
Selecting previously unselected package python-libpcap.
(Reading database ... 834021 files and directories currently installed.)
Preparing to unpack .../python-libpcap_0.6.4-1+b1_amd64.deb ...
Unpacking python-libpcap (0.6.4-1+b1) ...
Setting up python-libpcap (0.6.4-1+b1) ...
Sorry: IndentationError: expected an indented block (pcap.py, line 115)
dpkg: error processing package python-libpcap (--configure):
installed python-libpcap package post-installation script subprocess returned error exit status 101
Errors were encountered while processing:
python-libpcap
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
It would be great if the program could read from sys.stdin. That way it would be possible to pipe tcpdump streams directly into the program.
This way you could do for example
$ tcpdump '<capture filter>' -U -w - | Pcredz | grep -i found > found_creds.log
or even
ssh root@remote-server "(tcpdump '<capture filter>' -U -w -)" | Pcredz | grep -i found > found_creds.log
It would be possible to process a huge amount of traffic without requiring to store large amounts of pcap data.
I get this when trying to run './Pcredz -i en1':
Traceback (most recent call last):
File "./Pcredz", line 681, in
Run()
File "./Pcredz", line 676, in Run
decode_file(fname,'')
File "./Pcredz", line 584, in decode_file
p = pcap.pcapObject()
AttributeError: 'module' object has no attribute 'pcapObject'
I followed the install instructions by downloading the pylib package referenced, untar-ing it, and python setup.py installing it.
I'm getting numerous errors involving the base64 decoding of packet data. Unfortunately i cannot provide any example packets due to the sensitive nature of the data, but happy to assist in other ways to identify the root cause.
This trace was from an interface:
Traceback (most recent call last):
File "./Pcredz", line 834, in <module>
Run()
File "./Pcredz", line 829, in Run
decode_file(fname,'')
File "./Pcredz", line 743, in decode_file
Print_Packet_Tcpdump(plen, t, buf)
File "./Pcredz", line 717, in Print_Packet_Tcpdump
ParseDataRegex(decoded, SrcPort, DstPort)
File "./Pcredz", line 411, in ParseDataRegex
decoded_value = b64decode(authz_value_padded)
File "/usr/lib/python3.8/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Invalid base64-encoded string: number of data characters (1173) cannot be 1 more than a multiple of 4
This trace is from a pcap file:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/threading.py", line 926, in _bootstrap_inner
self.run()
File "/usr/local/lib/python3.7/threading.py", line 870, in run
self._target(*self._args, **self._kwargs)
File "./Pcredz", line 720, in loop_packets
func(x[0], x[1], x[2])
File "./Pcredz", line 706, in Print_Packet_Tcpdump
ParseDataRegex(decoded, SrcPort, DstPort)
File "./Pcredz", line 404, in ParseDataRegex
decoded['data'] = b64decode(b''.join(HTTPNegotiateAuthz))
File "/usr/local/lib/python3.7/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
You have bad indentation in source code. Please read:
https://docs.python.org/release/2.5.1/ref/indentation.html
http://www.diveintopython.net/getting_to_know_python/indenting_code.html
http://stackoverflow.com/questions/1024435/howto-fix-python-indentation
Using Python 3.10, I was unable to run PCredz. It appears that PyGen_Send is deprecated by python-libpcap. I ran PCredz just fine with Python 3.9, but not 3.10. I've only found a workaround by calling Python 3.9 directly.
Error:
Supplemental Information:
If you need more information, I can give you what I can after sanitizing the output.
Hi, i have an issue with PCredz, When running:
python3 ./Pcredz -f test.pcapng
Got this:
libpcap not installed. try : apt install python3-pip && sudo apt-get install libpcap-dev && pip3 install Cython && pip3 install python-libpcap
also, requirements are installed :
`└─$ sudo apt install python3-pip && sudo apt-get install libpcap-dev && pip3 install Cython && pip3 install python-libpcap
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances... Fait
Lecture des informations d'état... Fait
python3-pip est déjà la version la plus récente (20.3.4-4).
0 mis à jour, 0 nouvellement installés, 0 à enlever et 0 non mis à jour.
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances... Fait
Lecture des informations d'état... Fait
libpcap-dev est déjà la version la plus récente (1.10.1-3).
0 mis à jour, 0 nouvellement installés, 0 à enlever et 0 non mis à jour.
Requirement already satisfied: Cython in /usr/lib/python3/dist-packages (0.29.21)
Requirement already satisfied: python-libpcap in /home/steph/.local/lib/python3.9/site-packages (0.4.0)
Requirement already satisfied: Cython>=0.29.13 in /usr/lib/python3/dist-packages (from python-libpcap) (0.29.21)`
OS Information:
VERSION="2021.3"
VERSION_ID="2021.3"
VERSION_CODENAME="kali-rolling"
KERNEL: Linux 5.10.0-kali9-amd64
ARCHITECTURE: x86-64
How can i fix this ?
On twitter you said:
"MSSQL plaintext auth decoding now supported in Pcredz. Get v1.0.0 :) "
but running the script it still says 0.9
On my penetration tests, I often run into issues where my own systems' authentication requests are collected. Whenever I perform AD password spraying and forget to disable PCredz, my PCredz logs are filled with the password spray attempts, and I have actually missed an actual real hash in the same logs until further checks revealed the true positive. It would nice if we had a feature like Responder to exclude a list of IP addresses or FQDNs.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.