21 21 print 'libpcap not installed.\ntry : apt-get remove python-pypcap && apt-get install python-libpcap\nOn Mac OS X download http://downloads.sourceforge.net/project/pylibpcap/pylibpcap/0.6.4/pylibpcap-0.6.4.tar.gz \ntar xvf pylibpcap-0.6.4.tar.gz && cd pylibpcap-0.6.4\n./setup.py install' 22 22 exit() 23 23 import logging 24 - import optparse 24 + import argparse 25 + #import string 25 26 import os 26 27 import re 27 28 import socket 37 38 Message = 'Pcredz 0.9\nAuthor: Laurent Gaffie\nPlease send bugs/comments/pcaps to: [email protected] \nThis script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,\nFTP, HTTP Basic and credit card data from a given pcap file or from a live interface.\n' 38 39 print Message 39 40 40 - parser = optparse.OptionParser(usage='\npython %prog -f file.pcap\n%prog -d /tmp/pcap/\n%prog -i eth0',prog=sys.argv[0],) 41 - parser.add_option('-f', action="store", dest="fname", help = "Pcap file to parse", metavar="capture.pcap") 42 - parser.add_option('-d', action="store", dest="dir_path", help = "Pcap directory to parse recursivly", metavar="/home/pnt/pcap/") 43 - parser.add_option('-i', action="store", dest="interface", help = "interface for live capture", metavar="eth0") 44 - parser.add_option('-v', action="store_true", help="More verbose.", dest="Verbose") 45 - parser.add_option ('-c', action="store_false", default=' True' , help = "deactivate CC number scanning (Can gives false positives!)" , dest = " activate_cc ") 46 - parser.add_option ('-t', action="store_true", help = "Include a timestamp in all generated messages (useful for correlation)" , dest = " timestamp ") 41 + parser = argparse.ArgumentParser(description='Pcredz 0.9\nAuthor: Laurent Gaffie') 42 + m_group=parser.add_mutually_exclusive_group() 43 + m_group.add_argument('-f', type=str, dest="fname", default=None, help="Pcap file to parse") 44 + m_group.add_argument('-d', type=str, dest="dir_path", default=None, help="Pcap directory to parse recursivly") 45 + m_group.add_argument('-i', type=str, dest="interface", default=None, help="interface for live capture") 46 + parser.add_argument ('-c', action="store_false", dest = " activate_cc " , default=True, help="deactivate CC number scanning (Can gives false positives!)") 47 + parser.add_argument ('-t', action="store_true", dest =" timestamp " , help = "Include a timestamp in all generated messages (useful for correlation)") 48 + parser.add_argument('-v', action="store_true", dest="Verbose", help="More verbose.") 47 49 48 - options, args = parser.parse_args() 50 + options = parser.parse_args() 49 51 50 52 if options.fname is None and options.dir_path is None and options.interface is None: 51 53 print '\n\033[1m\033[31m -f or -d or -i mandatory option missing.\033[0m\n' 52 54 parser.print_help() 53 55 exit(-1) 54 56 55 - if options.fname and options.dir_path: 56 - print '\n\033[1m\033[31mYou can\'t use -f and -d at the same time.\033[0m\n' 57 - parser.print_help() 58 - exit(-1) 59 - 60 - if options.fname and options.interface: 61 - print '\n\033[1m\033[31mYou can\'t use -f and -i at the same time.\033[0m\n' 62 - parser.print_help() 63 - exit(-1) 64 - 65 - if options.dir_path and options.interface: 66 - print '\n\033[1m\033[31mYou can\'t use -i and -d at the same time.\033[0m\n' 67 - parser.print_help() 68 - exit(-1) 69 - 70 57 ShowWelcome() 71 58 Verbose = options.Verbose 72 59 fname = options.fname 75 62 activate_cc = options.activate_cc 76 63 timestamp = options.timestamp 77 64 start_time = time.time() 65 + 66 + http_userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name', 67 + 'alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname', 68 + 'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename', 69 + 'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username', 70 + 'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in'] 71 + 72 + http_passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword', 73 + 'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password' 74 + 'passwort', 'passwrd', 'wppassword', 'upasswd'] 78 75 79 76 Filename = str(os.path.join(os.path.dirname(__file__),"CredentialDump-Session.log")) 80 77 l= logging.getLogger('Credential-Session') 308 305 309 306 310 307 def ParseDataRegex(decoded, SrcPort, DstPort): 308 + HTTPUser = None 309 + HTTPass = None 310 + for user in http_userfields: 311 + user = re.findall('(%s=[^&]+)' % user, decoded['data'], re.IGNORECASE) 312 + if user: 313 + HTTPUser = user 314 + 315 + for password in http_passfields: 316 + passw = re.findall('(%s=[^&]+)' % password, decoded['data'], re.IGNORECASE) 317 + if passw: 318 + HTTPass = passw 319 + 311 320 SMTPAuth = re.search('AUTH LOGIN|AUTH PLAIN', decoded['data']) 312 321 Basic64 = re.findall('(?<=Authorization: Basic )[^\n]*', decoded['data']) 313 322 FTPUser = re.findall('(?<=USER )[^\r]*', decoded['data']) 386 395 l.warning(Message) 387 396 print HeadMessage+'\n'+Message 388 397 except NameError: 398 + pass 399 + 400 + if DstPort == 80: 401 + if (HTTPUser and HTTPass): 402 + try: 403 + host = re.findall("(Host: [^\n]+)", decoded['data']) 404 + get_path = re.findall("(GET [^\n]+)", decoded['data']) 405 + post_path = re.findall("(POST [^\n]+)", decoded['data']) 406 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 407 + Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0], HTTPass[0]) 408 + if host: 409 + Message += '%s\n' % host[0].strip('\r') 410 + if get_path: 411 + Message += 'Full path: %s\n' % get_path[0].strip('\r') 412 + if post_path: 413 + Message += 'Full path: %s\n' % post_path[0].strip('\r') 414 + if PrintPacket(Filename,Message): 415 + l.warning(HeadMessage) 416 + l.warning(Message) 417 + print HeadMessage+'\n'+Message 418 + #print filter(lambda x: x in string.printable, decoded['data']) 419 + except: 389 420 pass 390 421 391 422 if DstPort == 25 and SMTPAuth or DstPort == 587 and SMTPAuth:
