PRIMARY CATEGORY → CREDENTIAL HUNTING • LINUX PRIVESC
Theory
We can only extract data from the captured packets when a given protocol is not end-to-end encrypted
That is, if an attacker intercepts packets from an HTTP Connection between a client and a Web Server, the data contained in these packets cannot be extracted unless the attacker knows the key
In that case, since the Encryption Method used in a client-server architecture is usually a Symmetric Cypher, the attacker could use that key to decrypt those packets and extract all the data in plain format
TShark
HTTP
Encrypted Counterpart → HTTPS
HTTP POST Data (POST Parameters’ value)
From a given Capture File e.g. Pcap
tshark -r <CAPTURE_FILE> -Y 'http.request.method == POST' -T fields -e http.file_data 2> /dev/nullFrom Live Traffic
tshark --interface <INTERFACE> -Y 'http.request.method == POST' -T fields -e http.file_data 2> /dev/nullSNMP
Encrypted Counterpart → SNMPv3
SNMP Community String
From a given Capture File e.g. Pcap
tshark -r <CAPTURE_FILE> -Y 'snmp' -T fields -e snmp.community 2> /dev/null | sort -uFrom Live Traffic
tshark --interface <INTERFACE> -Y 'snmp' -T fields -e snmp.community 2> /dev/nullFTP
Encrypted Counterpart → FTPS
FTP Login (User and Password)
From a given Capture File e.g. Pcap
tshark -r <CAPTURE_FILE> -Y 'ftp.request.command == USER or ftp.request.command == PASS' -T fields -e ftp.request.command -e ftp.request.arg -E separator=: 2> /dev/nullFrom Live Traffic
tshark --interface <INTERFACE> -Y 'ftp.request.command == USER or ftp.request.command == PASS' -T fields -e ftp.request.command -e ftp.request.arg -E separator=: 2> /dev/nullPCredz
Setup
apt install -y -- python3-pip libpcap-dev filepython3 -m venv .venv
source !$/bin/activatepip3 install Cython python-libpcapgit clone https://github.com/lgandx/PCredz PCredzCreds Extraction
From a given Capture File e.g. Pcap
python3 PCredz -v -f <CAPTURE_FILE>