Network Captures

Extract Creds

Pcredz extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth type 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

# Install requirements
apt install python3-pip && sudo apt-get install libpcap-dev && pip3 install Cython && pip3 install python-libpcap
# Clone and build docker image
git clone https://github.com/lgandx/PCredz
cd PCredz
docker build . -t pcredz
docker run --net=host -v $(pwd):/opt/Pcredz -it pcredz

Usage

# extract credentials from a pcap file
python3 ./Pcredz -f file-to-parse.pcap

# extract credentials from all pcap files in a folder
python3 ./Pcredz -d /tmp/pcap-directory-to-parse/

# extract credentials from a live packet capture on a network interface (need root privileges)
python3 ./Pcredz -i eth0 -v

Parsing

sudo apt install tshark

Unique IPs & Macs & Ports

# IPS
tshark -r <PCAP> -T fields -e ip.src -e ip.dst | tr "\t" "\n" | tr "," "\n" | sort | uniq
# MAC
tshark -r <PCAP> -T fields -e eth.src -e eth.dst | tr "\t" "\n" | tr "," "\n" | sort | uniq
# Ports
tshark -r <PCAP> -T fields -e tcp.port -e tcp.port | tr "\t" "\n" | tr "," "\n" | sort | uniq

PreviousBasics NextWindows Logs

Last updated 2 years ago