pcredz is writing a log file in /usr/sbin. It should log it somewhere else, like /var/log, use syslog, or logging to a file should be an option, since it seems to write the same data to stdout and to the log file.

bduncan@ltw3701:~$ pcredz -i eth0 Pcredz 0.9 Author: Laurent Gaffie Please send bugs/comments/pcaps to: [email protected] This script will extract NTLM (http,ldap,smb,sql,etc), Kerberos, FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.

Traceback (most recent call last): File "/usr/sbin/pcredz", line 81, in l.addHandler(logging.FileHandler(Filename,'a')) File "/usr/lib/python2.7/logging/init.py", line 911, in init StreamHandler.init(self, self._open()) File "/usr/lib/python2.7/logging/init.py", line 936, in _open
stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/usr/sbin/CredentialDump-Session.log'
:( 1 bduncan@ltw3701:~$

Thanks, Bruce

On the latest Kali build, apt is reporting that python-libpcap does not exist. Also attempts to install it from the sourceforge link provided by the error message when trying to run PCredz fails. Is there an alternative or can PCredz be updated to use another pcap parsing library?

Proposed Enhancement

It would be great if the program could read from sys.stdin. That way it would be possible to pipe tcpdump streams directly into the program.

Example

This way you could do for example $ tcpdump '<capture filter>' -U -w - | Pcredz | grep -i found > found_creds.log or even ssh root@remote-server "(tcpdump '<capture filter>' -U -w -)" | Pcredz | grep -i found > found_creds.log

Benefits

It would be possible to process a huge amount of traffic without requiring to store large amounts of pcap data.

Hi there, I have recently been seeing an issue I am having trouble resolving when running PCredz:

Traceback (most recent call last): File "./Pcredz", line 757, in Run() File "./Pcredz", line 750, in Run decode_file(fname,'') File "./Pcredz", line 651, in decode_file p = pcap.pcapObject() AttributeError: 'module' object has no attribute 'pcapObject'

I have pylibpcap installed and have removed libpcap has i understand they don't play well together?: Requirement already satisfied: pylibpcap in /usr/local/lib/python2.7/dist-packages (0.6.4)

Any assistance is appreciated whilst I figure this one out

Hello, system i am using kali linux 2.0 amd64: root@kali:~/PCredz# apt-get remove python-pypcap && apt-get install python-libpcap Reading package lists... Done Building dependency tree
Reading state information... Done Package 'python-pypcap' is not installed, so not removed 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Reading package lists... Done Building dependency tree
Reading state information... Done python-libpcap is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

When I run it root@kali:~/PCredz# ./Pcredz -i wlan0 Pcredz 1.0.0 Author: Laurent Gaffie Please send bugs/comments/pcaps to: [email protected] This script will extract NTLM (http,ldap,smb,sql,etc), Kerberos, FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.

CC number scanning activated

Traceback (most recent call last): File "./Pcredz", line 681, in Run() File "./Pcredz", line 676, in Run decode_file(fname,'') File "./Pcredz", line 584, in decode_file p = pcap.pcapObject() AttributeError: 'module' object has no attribute 'pcapObject!!!

Thanks

└─$ sudo python3 ./Pcredz -i eth0 -v libpcap not installed. try : apt install python3-pip && pip3 install Cython && pip3 install python-libpcap

└─$ sudo apt install python3-pip && pip3 install Cython && pip3 install python-libpcap Reading package lists... Done Building dependency tree... Done Reading state information... Done python3-pip is already the newest version (20.3.4-1). The following packages were automatically installed and are no longer required: libxml-dom-perl libxml-perl libxml-regexp-perl Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 1478 not upgraded. Requirement already satisfied: Cython in /usr/lib/python3/dist-packages (0.29.21) Requirement already satisfied: python-libpcap in /home/pentester/.local/lib/python3.8/site-packages (0.4.0) Requirement already satisfied: Cython>=0.29.13 in /usr/lib/python3/dist-packages (from python-libpcap) (0.29.21)

PCredz does not support IPv6 traffic, and will silently ignore any that's present on the interface or in any imported pcap files.

On an IPv6-only or dual stack network, modern operating systems will use IPv6 in preference to any legacy protocols, so all legitimate traffic would be using this protocol.

This occurs because the Print_Packet_* functions explicitly check for the legacy IPv4 ether type (0x0800) and ignore anything else:

if data[12:14]== b'\x08\x00':

This is then passed to the function Decode_Ip_Packet which extracts the src/destination address from the packet header. It then returns the packet payload (ie starting from TCP/UDP header).

The attached patch also checks for the IPv6 ether type (0x86dd) and passes it to a separate function Decode_Ipv6_Packet that handles an IPv6 header. The higher level TCP/UDP payloads remain the same on IPv6 so execution continues after parsing the header and returning the correct start of the payload.

So far this only works with a standard 40 byte IPv6 header, it does not properly check the next-header field so it would fail if there are optional extension headers present (rare).

Instead of using a separate function for IPv6, it may be preferable to use a single function and then check the version field of the header and act accordingly.

v6.txt

Hi. I was trying to install on Kali Linux 2020.2 and ran the install as suggested.

sudo apt install python3-pip && pip3 install Cython && pip3 install python-libpcap

However, I was getting the following error I included below.

I was able to solve by installing libpcap-dev.

sudo apt install libpcap-dev

FYI in case others run into the issue.

Building wheel for python-libpcap (setup.py) ... error ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"'; file='"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-l7d1cm3m
cwd: /tmp/pip-install-mg382xue/python-libpcap/
Complete output (34 lines):
running bdist_wheel
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.8
creating build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/utils.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/command.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/pcap.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/main.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/open.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/init.py -> build/lib.linux-x86_64-3.8/pylibpcap
running egg_info
writing python_libpcap.egg-info/PKG-INFO
writing dependency_links to python_libpcap.egg-info/dependency_links.txt
writing entry points to python_libpcap.egg-info/entry_points.txt
writing requirements to python_libpcap.egg-info/requires.txt
writing top-level names to python_libpcap.egg-info/top_level.txt
reading manifest file 'python_libpcap.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching '.h' under directory 'src'
warning: no previously-included files matching '.pyc' found anywhere in distribution
writing manifest file 'python_libpcap.egg-info/SOURCES.txt'
copying pylibpcap/base.c -> build/lib.linux-x86_64-3.8/pylibpcap
running build_ext
building 'pylibpcap.base' extension
creating build/temp.linux-x86_64-3.8
creating build/temp.linux-x86_64-3.8/pylibpcap
x86_64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.8 -c pylibpcap/base.c -o build/temp.linux-x86_64-3.8/pylibpcap/base.o -lpcap
pylibpcap/base.c:622:10: fatal error: pcap.h: No such file or directory
622 | #include "pcap.h"
| ^~~~~~~~
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

ERROR: Failed building wheel for python-libpcap

Running setup.py install for python-libpcap ... error ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"'; file='"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-ua36ifxi/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/python-libpcap
cwd: /tmp/pip-install-mg382xue/python-libpcap/
Complete output (34 lines):
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.8
creating build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/utils.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/command.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/pcap.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/main.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/open.py -> build/lib.linux-x86_64-3.8/pylibpcap
copying pylibpcap/init.py -> build/lib.linux-x86_64-3.8/pylibpcap
running egg_info
writing python_libpcap.egg-info/PKG-INFO
writing dependency_links to python_libpcap.egg-info/dependency_links.txt
writing entry points to python_libpcap.egg-info/entry_points.txt
writing requirements to python_libpcap.egg-info/requires.txt
writing top-level names to python_libpcap.egg-info/top_level.txt
reading manifest file 'python_libpcap.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching '.h' under directory 'src'
warning: no previously-included files matching '.pyc' found anywhere in distribution
writing manifest file 'python_libpcap.egg-info/SOURCES.txt'
copying pylibpcap/base.c -> build/lib.linux-x86_64-3.8/pylibpcap
running build_ext
building 'pylibpcap.base' extension
creating build/temp.linux-x86_64-3.8
creating build/temp.linux-x86_64-3.8/pylibpcap
x86_64-linux-gnu-gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -g -fwrapv -O2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.8 -c pylibpcap/base.c -o build/temp.linux-x86_64-3.8/pylibpcap/base.o -lpcap
pylibpcap/base.c:622:10: fatal error: pcap.h: No such file or directory
622 | #include "pcap.h"
| ^~~~~~~~
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
ERROR: Command errored out with exit status 1: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"'; file='"'"'/tmp/pip-install-mg382xue/python-libpcap/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-ua36ifxi/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/python-libpcap Check the logs for full command output.

I ran the script once and got a nice dump of output, I then ran it again to send the output to a file, when I checked the file it only had the script headers in it, no data. I tried a few times and didn't get any output.

I then noticed the session log file and found that contained all my data and after fiddling realised that you don't output anything that is already cached in the file. This causes a couple of problems:

• There is no mention of this feature so I wasted some time trying to find my data again. It should be documented
• If a cache of existing data is found, the script should mention this when it is ran, maybe something like: -- Existing X entries from cache not shown --
• It would be good to specify where the output file is written to, I want the output in my client folder not in the script folder
• A feature to dump the creds in the file would be good
• A feature that says ignore the cache and dump everything would be good.

Sorry to put these all in one ticket, I'll break them out into multiple if you want so that you can track or respond to each one separately.

Hi, This PR adds better detection for regular http auth attempts. I also changed the argument parser to argparse since the optparse library is deprecated.

Added a dockerfile to the tool.

• Useful for managing python dependencies and versioning
• Also used to parse large pcaps on the host instead of exfiltrating off the host

I am trying to test #47 on a not Kali box, but I cannot get PCredz to even run due to it claiming libpcap is not installed. I attempted previous closed issue fixes, but couldn't get anything to work. I downloaded this Ubuntu image today and updated it.

Let me know if you have any ideas or want me to retest.

On my penetration tests, I often run into issues where my own systems' authentication requests are collected. Whenever I perform AD password spraying and forget to disable PCredz, my PCredz logs are filled with the password spray attempts, and I have actually missed an actual real hash in the same logs until further checks revealed the true positive. It would nice if we had a feature like Responder to exclude a list of IP addresses or FQDNs.

I was analyzing some traffic I captured and it kept crashing on one particular file.

The python traceback showed me what was happening.

I just wrapped the decode in a try block.

The pcap in question did have mssql traffic.

This lets me at least capture that something went wrong and shows the data in case I can tease something out of it visually.