skipped 39 lines 40 40 from threading import Thread 41 41 42 42 def ShowWelcome(): 43 - Message = 'Pcredz 2.0.0 \nAuthor: Laurent Gaffie\nPlease send bugs/comments/pcaps to: [email protected] \nThis script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,\nFTP, HTTP Basic and credit card data from a given pcap file or from a live interface.\n' 43 + Message = 'Pcredz 2.0.1 \nAuthor: Laurent Gaffie\nPlease send bugs/comments/pcaps to: [email protected] \nThis script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,\nFTP, HTTP Basic and credit card data from a given pcap file or from a live interface.\n' 44 44 print(Message) 45 45 46 46 parser = argparse.ArgumentParser(description='Pcredz 1.0.0\nAuthor: Laurent Gaffie') skipped 35 lines 82 82 l= logging.getLogger('Credential-Session') 83 83 l.addHandler(logging.FileHandler(Filename,'a')) 84 84 85 + # Function used to write captured hashs to a file. 86 + def WriteData(outfile, data, user): 87 + if type(user) is str: 88 + user = user.encode('latin-1') 89 + if not os.path.isfile(outfile): 90 + with open(outfile,"w") as outf: 91 + outf.write(data + '\n') 92 + return 93 + with open(outfile,"r") as filestr: 94 + if re.search(codecs.encode(user,'hex'), codecs.encode(filestr.read().encode('latin-1'),'hex')): 95 + return False 96 + elif re.search(re.escape(b'$'), user): 97 + return False 98 + with open(outfile,"a") as outf2: 99 + outf2.write(data + '\n') 100 + 85 101 if activate_cc: 86 102 print("CC number scanning activated\n") 87 103 else: skipped 70 lines 158 174 return pc 159 175 160 176 x = re.sub('[^A-P]', '', data.upper()) 177 + WriteData("logs/CTX1-Plaintext.txt", Message, Message) 161 178 return str(decrypt(x)) 162 179 163 180 def ParseNTLMHash(data,Challenge): skipped 15 lines 179 196 UserOffset = struct.unpack('<H',data[40:42])[0] 180 197 User = SSPIStart[UserOffset:UserOffset+UserLen].strip(b"\x00") 181 198 writehash = '%s::%s:%s:%s:%s' % (User.decode('latin-1'),Domain.decode('latin-1'), LMHash.decode('latin-1'), NtHash.decode('latin-1'), Challenge.decode('latin-1')) 199 + WriteData("logs/NTLMv1.txt", writehash, User) 182 200 return "NTLMv1 complete hash is: %s\n"%(writehash), User.decode('latin-1')+"::"+Domain.decode('latin-1') 183 201 184 202 if NthashLen > 60: skipped 5 lines 190 208 UserOffset = struct.unpack('<H',data[40:42])[0] 191 209 User = SSPIStart[UserOffset:UserOffset+UserLen].strip(b"\x00") 192 210 writehash = '%s::%s:%s:%s:%s' % (User.decode('latin-1'),Domain.decode('latin-1'), Challenge.decode('latin-1'), NtHash[:32].decode('latin-1'), NtHash[32:].decode('latin-1')) 211 + WriteData("logs/NTLMv2.txt", writehash, User) 193 212 return "NTLMv2 complete hash is: %s\n"%(writehash),User.decode('latin-1')+"::"+Domain.decode('latin-1') 194 213 else: 195 214 return False skipped 13 lines 209 228 DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0] 210 229 Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen] 211 230 BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1')) 231 + WriteData("logs/MSKerb.txt", BuildHash, Name) 212 232 return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$" 213 233 if Data[44:48] == b"\xa2\x36\x04\x34" or Data[44:48] == b"\xa2\x35\x04\x33": 214 234 HashLen = struct.unpack('<b',Data[47:48])[0] skipped 4 lines 219 239 DomainLen = struct.unpack('<b',Data[HashLen+97+NameLen+3:HashLen+97+NameLen+4])[0] 220 240 Domain = Data[HashLen+97+NameLen+4:HashLen+97+NameLen+4+DomainLen] 221 241 BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1')) 242 + WriteData("logs/MSKerb.txt", BuildHash, Name) 222 243 return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$" 223 244 224 245 else: skipped 4 lines 229 250 DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0] 230 251 Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen] 231 252 BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1')) 253 + WriteData("logs/MSKerb.txt", BuildHash, Name) 232 254 return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$" 233 255 else: 234 256 return False skipped 12 lines 247 269 DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0] 248 270 Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen] 249 271 BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1')) 272 + WriteData("logs/MSKerb.txt", BuildHash, Name) 250 273 return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$" 251 274 if HashLen == 53: 252 275 Hash = Data[44:95] skipped 3 lines 256 279 DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0] 257 280 Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen] 258 281 BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1')) 282 + WriteData("logs/MSKerb.txt", BuildHash, Name) 259 283 return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$" 260 284 261 285 else: skipped 5 lines 267 291 DomainLen = struct.unpack('<b',Data[HashLen+98+NameLen+3:HashLen+98+NameLen+4])[0] 268 292 Domain = Data[HashLen+98+NameLen+4:HashLen+98+NameLen+4+DomainLen] 269 293 BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1')) 294 + WriteData("logs/MSKerb.txt", BuildHash, Name) 270 295 return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$" 271 296 272 297 else: skipped 4 lines 277 302 SNMPVersion = data[4:5] 278 303 if SNMPVersion == b"\x00": 279 304 StrLen = struct.unpack('<b',data[6:7])[0] 305 + WriteData("logs/SNMPv1.txt", data[7:7+StrLen].decode('latin-1'), data[7:7+StrLen].decode('latin-1')) 280 306 return 'Found SNMPv1 Community string: %s\n'%(data[7:7+StrLen].decode('latin-1')) 281 307 if data[3:5] == b"\x01\x01": 282 308 StrLen = struct.unpack('<b',data[6:7])[0] 309 + WriteData("logs/SNMPv2.txt", data[7:7+StrLen].decode('latin-1'), data[7:7+StrLen].decode('latin-1')) 283 310 return 'Found SNMPv2 Community string: %s\n'%(data[7:7+StrLen].decode('latin-1')) 284 311 285 312 skipped 5 lines 291 318 Basestr = b64decode(basic) 292 319 if len(Basestr)>1: 293 320 if Basestr.decode('ascii'): 321 + WriteData("logs/SMTP-Plaintext.txt", Basestr.decode('latin-1'), Basestr.decode('latin-1')) 294 322 return 'SMTP decoded Base64 string: %s\n'%(Basestr.decode('latin-1')) 295 323 except: 296 324 pass skipped 14 lines 311 339 UsernameLen = PwdOffset-UsernameOffset 312 340 PwdStr = ParseSqlClearTxtPwd(data[8+PwdOffset:8+PwdOffset+PwdLen]) 313 341 UserName = data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le') 342 + WriteData("logs/MSSQL-Plaintext.txt", "MSSQL Username: %s Password: %s"%(UserName, PwdStr), UserName) 314 343 return "MSSQL Username: %s Password: %s"%(UserName, PwdStr) 315 344 316 345 def Decode_Ip_Packet(s): skipped 78 lines 395 424 HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 396 425 try: 397 426 Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic).decode('latin-1')) 427 + WriteData("logs/HTTP-Basic.txt", Message, Message) 398 428 if PrintPacket(Filename,Message): 399 429 l.warning(HeadMessage) 400 430 l.warning(Message) skipped 41 lines 442 472 if IMAPAuth: 443 473 HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 444 474 Message = 'Found IMAP login: "%s"\n'%(''.join(IMAPAuth[0].decode('latin-1'))) 475 + WriteData("logs/IMAP-Plaintext.txt", Message, Message) 445 476 if PrintPacket(Filename,Message): 446 477 l.warning(HeadMessage) 447 478 l.warning(Message) skipped 8 lines 456 487 POPUser 457 488 HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 458 489 Message = 'Found POP credentials %s:%s\n'%(POPUser.decode('latin-1'), b''.join(FTPPass).decode('latin-1')) 490 + WriteData("logs/POP-Plaintext.txt", Message, Message) 459 491 del POPUser 460 492 if PrintPacket(Filename,Message): 461 493 l.warning(HeadMessage) skipped 10 lines 472 504 post_path = re.findall(b"(POST [^\n]+)", decoded['data']) 473 505 HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 474 506 Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0].decode('latin-1'), HTTPass[0].decode('latin-1')) 507 + WriteData("logs/HTTP-Login-Forms.txt", Message, Message) 508 + 475 509 if host: 476 510 Message += '%s\n' % host[0].decode('latin-1').strip('\r') 477 511 if get_path: skipped 34 lines 512 546 HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 513 547 Message = 'FTP User: %s\n'%(UserID.decode('latin-1')) 514 548 Message+= 'FTP Pass: %s\n'%(b''.join(FTPPass).decode('latin-1')) 549 + WriteData("logs/FTP-Plaintext.txt", Message, Message) 515 550 del UserID 516 551 if PrintPacket(Filename,Message): 517 552 l.warning(HeadMessage) skipped 34 lines 552 587 try: 553 588 NTLMPacket = b''.join(NTLMSSP3) 554 589 if Is_Anonymous(NTLMPacket): 555 - 556 590 HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 557 591 Message = ParseNTLMHash(NTLMPacket,Chall) 558 592 del Chall skipped 5 lines 564 598 pass 565 599 566 600 if HTTPNTLM2: 601 + print("yep") 567 602 try: 568 603 Packet = b64decode(b''.join(HTTPNTLM2)) 569 604 global HTTPChall 570 605 if re.findall(b'NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', Packet,re.DOTALL): 571 606 HTTPChall = codecs.encode(Packet[24:32],'hex') 572 607 except: 608 + raise 573 609 pass 574 610 575 611 if HTTPNTLM3: skipped 14 lines 590 626 l.warning(Message[0]) 591 627 print(HeadMessage+'\n'+Message[0]) 592 628 except: 629 + raise 593 630 pass 594 631 595 632 if CC: skipped 52 lines 648 685 def decode_file(fname,res): 649 686 if interface != None: 650 687 try: 651 - from pylibpcap.pcap import sniff 688 + from pylibpcap.pcap import Sniff 652 689 Message = "Pcredz live capture started, using:%s\nStarting timestamp (%s) corresponds to %s"%(interface, time.time(), time.strftime('%x %X')) 653 690 print(Message) 654 691 l.warning(Message) 655 - p = sniff (interface, filters = " " , count=-1, promisc=1) 656 - while p: 657 - thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump)) 658 - thread.daemon=True 659 - thread.start() 660 - try: 661 - while thread.is_alive(): 662 - thread.join(timeout=1) 663 - except: 664 - raise 692 + p = Sniff (interface, count=-1, promisc=1) 693 + for plen, t, buf in p.capture(): 694 + Print_Packet_Tcpdump(plen, t, buf) 695 + 665 696 except (KeyboardInterrupt, SystemExit): 666 697 print("\n\nCRTL-C hit..Cleaning up...") 667 698 threading.Event().set() skipped 88 lines