crash.software
Projects
Pull Requests
Issues
Builds
PCredz
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY PCredz Commits 657bfd2a
🤬

  • Added hashdumping in the logs folder + minor bug.

  • Loading...
  • lgandx committed 3 years ago
    657bfd2a
    1 parent b27f7746
  • ■ ■ ■ ■ ■
    Pcredz
    skipped 39 lines
    40 40  from threading import Thread
    41 41   
    42 42  def ShowWelcome():
    43  - Message = 'Pcredz 2.0.0\nAuthor: Laurent Gaffie\nPlease send bugs/comments/pcaps to: [email protected]\nThis script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,\nFTP, HTTP Basic and credit card data from a given pcap file or from a live interface.\n'
     43 + Message = 'Pcredz 2.0.1\nAuthor: Laurent Gaffie\nPlease send bugs/comments/pcaps to: [email protected]\nThis script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,\nFTP, HTTP Basic and credit card data from a given pcap file or from a live interface.\n'
    44 44   print(Message)
    45 45   
    46 46  parser = argparse.ArgumentParser(description='Pcredz 1.0.0\nAuthor: Laurent Gaffie')
    skipped 35 lines
    82 82  l= logging.getLogger('Credential-Session')
    83 83  l.addHandler(logging.FileHandler(Filename,'a'))
    84 84   
     85 +# Function used to write captured hashs to a file.
     86 +def WriteData(outfile, data, user):
     87 + if type(user) is str:
     88 + user = user.encode('latin-1')
     89 + if not os.path.isfile(outfile):
     90 + with open(outfile,"w") as outf:
     91 + outf.write(data + '\n')
     92 + return
     93 + with open(outfile,"r") as filestr:
     94 + if re.search(codecs.encode(user,'hex'), codecs.encode(filestr.read().encode('latin-1'),'hex')):
     95 + return False
     96 + elif re.search(re.escape(b'$'), user):
     97 + return False
     98 + with open(outfile,"a") as outf2:
     99 + outf2.write(data + '\n')
     100 + 
    85 101  if activate_cc:
    86 102   print("CC number scanning activated\n")
    87 103  else:
    skipped 70 lines
    158 174   return pc
    159 175   
    160 176   x = re.sub('[^A-P]', '', data.upper())
     177 + WriteData("logs/CTX1-Plaintext.txt", Message, Message)
    161 178   return str(decrypt(x))
    162 179   
    163 180  def ParseNTLMHash(data,Challenge):
    skipped 15 lines
    179 196   UserOffset = struct.unpack('<H',data[40:42])[0]
    180 197   User = SSPIStart[UserOffset:UserOffset+UserLen].strip(b"\x00")
    181 198   writehash = '%s::%s:%s:%s:%s' % (User.decode('latin-1'),Domain.decode('latin-1'), LMHash.decode('latin-1'), NtHash.decode('latin-1'), Challenge.decode('latin-1'))
     199 + WriteData("logs/NTLMv1.txt", writehash, User)
    182 200   return "NTLMv1 complete hash is: %s\n"%(writehash), User.decode('latin-1')+"::"+Domain.decode('latin-1')
    183 201   
    184 202   if NthashLen > 60:
    skipped 5 lines
    190 208   UserOffset = struct.unpack('<H',data[40:42])[0]
    191 209   User = SSPIStart[UserOffset:UserOffset+UserLen].strip(b"\x00")
    192 210   writehash = '%s::%s:%s:%s:%s' % (User.decode('latin-1'),Domain.decode('latin-1'), Challenge.decode('latin-1'), NtHash[:32].decode('latin-1'), NtHash[32:].decode('latin-1'))
     211 + WriteData("logs/NTLMv2.txt", writehash, User)
    193 212   return "NTLMv2 complete hash is: %s\n"%(writehash),User.decode('latin-1')+"::"+Domain.decode('latin-1')
    194 213   else:
    195 214   return False
    skipped 13 lines
    209 228   DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
    210 229   Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen]
    211 230   BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1'))
     231 + WriteData("logs/MSKerb.txt", BuildHash, Name)
    212 232   return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$"
    213 233   if Data[44:48] == b"\xa2\x36\x04\x34" or Data[44:48] == b"\xa2\x35\x04\x33":
    214 234   HashLen = struct.unpack('<b',Data[47:48])[0]
    skipped 4 lines
    219 239   DomainLen = struct.unpack('<b',Data[HashLen+97+NameLen+3:HashLen+97+NameLen+4])[0]
    220 240   Domain = Data[HashLen+97+NameLen+4:HashLen+97+NameLen+4+DomainLen]
    221 241   BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1'))
     242 + WriteData("logs/MSKerb.txt", BuildHash, Name)
    222 243   return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$"
    223 244   
    224 245   else:
    skipped 4 lines
    229 250   DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
    230 251   Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen]
    231 252   BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1'))
     253 + WriteData("logs/MSKerb.txt", BuildHash, Name)
    232 254   return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$"
    233 255   else:
    234 256   return False
    skipped 12 lines
    247 269   DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
    248 270   Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen]
    249 271   BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1'))
     272 + WriteData("logs/MSKerb.txt", BuildHash, Name)
    250 273   return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$"
    251 274   if HashLen == 53:
    252 275   Hash = Data[44:95]
    skipped 3 lines
    256 279   DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
    257 280   Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen]
    258 281   BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1'))
     282 + WriteData("logs/MSKerb.txt", BuildHash, Name)
    259 283   return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$"
    260 284   
    261 285   else:
    skipped 5 lines
    267 291   DomainLen = struct.unpack('<b',Data[HashLen+98+NameLen+3:HashLen+98+NameLen+4])[0]
    268 292   Domain = Data[HashLen+98+NameLen+4:HashLen+98+NameLen+4+DomainLen]
    269 293   BuildHash = '$krb5pa$23$%s%s%s%s%s' % (Name.decode('latin-1'), "$", Domain.decode('latin-1'), "$dummy$", codecs.encode(SwitchHash,'hex').decode('latin-1'))
     294 + WriteData("logs/MSKerb.txt", BuildHash, Name)
    270 295   return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name.decode('latin-1')+"$"+Domain.decode('latin-1')+"$dummy$"
    271 296   
    272 297   else:
    skipped 4 lines
    277 302   SNMPVersion = data[4:5]
    278 303   if SNMPVersion == b"\x00":
    279 304   StrLen = struct.unpack('<b',data[6:7])[0]
     305 + WriteData("logs/SNMPv1.txt", data[7:7+StrLen].decode('latin-1'), data[7:7+StrLen].decode('latin-1'))
    280 306   return 'Found SNMPv1 Community string: %s\n'%(data[7:7+StrLen].decode('latin-1'))
    281 307   if data[3:5] == b"\x01\x01":
    282 308   StrLen = struct.unpack('<b',data[6:7])[0]
     309 + WriteData("logs/SNMPv2.txt", data[7:7+StrLen].decode('latin-1'), data[7:7+StrLen].decode('latin-1'))
    283 310   return 'Found SNMPv2 Community string: %s\n'%(data[7:7+StrLen].decode('latin-1'))
    284 311   
    285 312   
    skipped 5 lines
    291 318   Basestr = b64decode(basic)
    292 319   if len(Basestr)>1:
    293 320   if Basestr.decode('ascii'):
     321 + WriteData("logs/SMTP-Plaintext.txt", Basestr.decode('latin-1'), Basestr.decode('latin-1'))
    294 322   return 'SMTP decoded Base64 string: %s\n'%(Basestr.decode('latin-1'))
    295 323   except:
    296 324   pass
    skipped 14 lines
    311 339   UsernameLen = PwdOffset-UsernameOffset
    312 340   PwdStr = ParseSqlClearTxtPwd(data[8+PwdOffset:8+PwdOffset+PwdLen])
    313 341   UserName = data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le')
     342 + WriteData("logs/MSSQL-Plaintext.txt", "MSSQL Username: %s Password: %s"%(UserName, PwdStr), UserName)
    314 343   return "MSSQL Username: %s Password: %s"%(UserName, PwdStr)
    315 344   
    316 345  def Decode_Ip_Packet(s):
    skipped 78 lines
    395 424   HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
    396 425   try:
    397 426   Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic).decode('latin-1'))
     427 + WriteData("logs/HTTP-Basic.txt", Message, Message)
    398 428   if PrintPacket(Filename,Message):
    399 429   l.warning(HeadMessage)
    400 430   l.warning(Message)
    skipped 41 lines
    442 472   if IMAPAuth:
    443 473   HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
    444 474   Message = 'Found IMAP login: "%s"\n'%(''.join(IMAPAuth[0].decode('latin-1')))
     475 + WriteData("logs/IMAP-Plaintext.txt", Message, Message)
    445 476   if PrintPacket(Filename,Message):
    446 477   l.warning(HeadMessage)
    447 478   l.warning(Message)
    skipped 8 lines
    456 487   POPUser
    457 488   HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
    458 489   Message = 'Found POP credentials %s:%s\n'%(POPUser.decode('latin-1'), b''.join(FTPPass).decode('latin-1'))
     490 + WriteData("logs/POP-Plaintext.txt", Message, Message)
    459 491   del POPUser
    460 492   if PrintPacket(Filename,Message):
    461 493   l.warning(HeadMessage)
    skipped 10 lines
    472 504   post_path = re.findall(b"(POST [^\n]+)", decoded['data'])
    473 505   HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
    474 506   Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0].decode('latin-1'), HTTPass[0].decode('latin-1'))
     507 + WriteData("logs/HTTP-Login-Forms.txt", Message, Message)
     508 + 
    475 509   if host:
    476 510   Message += '%s\n' % host[0].decode('latin-1').strip('\r')
    477 511   if get_path:
    skipped 34 lines
    512 546   HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
    513 547   Message = 'FTP User: %s\n'%(UserID.decode('latin-1'))
    514 548   Message+= 'FTP Pass: %s\n'%(b''.join(FTPPass).decode('latin-1'))
     549 + WriteData("logs/FTP-Plaintext.txt", Message, Message)
    515 550   del UserID
    516 551   if PrintPacket(Filename,Message):
    517 552   l.warning(HeadMessage)
    skipped 34 lines
    552 587   try:
    553 588   NTLMPacket = b''.join(NTLMSSP3)
    554 589   if Is_Anonymous(NTLMPacket):
    555  -
    556 590   HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
    557 591   Message = ParseNTLMHash(NTLMPacket,Chall)
    558 592   del Chall
    skipped 5 lines
    564 598   pass
    565 599   
    566 600   if HTTPNTLM2:
     601 + print("yep")
    567 602   try:
    568 603   Packet = b64decode(b''.join(HTTPNTLM2))
    569 604   global HTTPChall
    570 605   if re.findall(b'NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', Packet,re.DOTALL):
    571 606   HTTPChall = codecs.encode(Packet[24:32],'hex')
    572 607   except:
     608 + raise
    573 609   pass
    574 610   
    575 611   if HTTPNTLM3:
    skipped 14 lines
    590 626   l.warning(Message[0])
    591 627   print(HeadMessage+'\n'+Message[0])
    592 628   except:
     629 + raise
    593 630   pass
    594 631   
    595 632   if CC:
    skipped 52 lines
    648 685  def decode_file(fname,res):
    649 686   if interface != None:
    650 687   try:
    651  - from pylibpcap.pcap import sniff
     688 + from pylibpcap.pcap import Sniff
    652 689   Message = "Pcredz live capture started, using:%s\nStarting timestamp (%s) corresponds to %s"%(interface, time.time(), time.strftime('%x %X'))
    653 690   print(Message)
    654 691   l.warning(Message)
    655  - p = sniff(interface, filters="", count=-1, promisc=1)
    656  - while p:
    657  - thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump))
    658  - thread.daemon=True
    659  - thread.start()
    660  - try:
    661  - while thread.is_alive():
    662  - thread.join(timeout=1)
    663  - except:
    664  - raise
     692 + p = Sniff(interface, count=-1, promisc=1)
     693 + for plen, t, buf in p.capture():
     694 + Print_Packet_Tcpdump(plen, t, buf)
     695 + 
    665 696   except (KeyboardInterrupt, SystemExit):
    666 697   print("\n\nCRTL-C hit..Cleaning up...")
    667 698   threading.Event().set()
    skipped 88 lines
  • ■ ■ ■ ■ ■ ■
    Readme.md
    skipped 10 lines
    11 11   - IMAP
    12 12   - SNMP community string
    13 13   - FTP
    14  - - HTTP
     14 + - HTTP (NTLM/Basic/HTTP Forms)
    15 15   - NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP, MSSQL, HTTP, etc)
    16 16   - Kerberos (AS-REQ Pre-Auth etype 23) hashes.
    17 17   
    18 18  - All hashes are displayed in a hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).
    19  -- Log all credentials to a file (CredentialDump-Session.log).
     19 +- Log all credentials and information to a file (CredentialDump-Session.log).
     20 +- Log credentials in the logs/ folder. MSKerb.txt, NTLMv1.txt and NTLMv2.txt can be directly fed to hashcat.
    20 21   
    21 22  ## Install
    22 23   
    skipped 9 lines
    32 33  
    33 34   ```
    34 35   # extract credentials from a pcap file
    35  -./Pcredz -f file-to-parse.pcap
     36 +python3 ./Pcredz -f file-to-parse.pcap
    36 37   
    37 38  # extract credentials from all pcap files in a folder
    38  -./Pcredz -d /tmp/pcap-directory-to-parse/
     39 +python3 ./Pcredz -d /tmp/pcap-directory-to-parse/
    39 40   
    40  -# extract credentials from a live packet capture on a network interface
    41  -./Pcredz -i eth0 -v
     41 +# extract credentials from a live packet capture on a network interface (need root privileges)
     42 +python3 ./Pcredz -i eth0 -v
    42 43  ```
    43 44   
    44 45  ### Options
    skipped 10 lines
Please wait...
Page is in error, reload to recover