network tools – Security Slice

Description

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

Platform	Linux
Author	Laurent Gaffie
License	GPLv3
URL	https://github.com/lgandx/PCredz

Usage

usage: Pcredz [-h] [-f FNAME | -d DIR_PATH | -i INTERFACE] [-c] [-t] [-v]
 
Pcredz 1.0.0 Author: Laurent Gaffie
 
optional arguments:
  -h, --help    show this help message and exit
  -f FNAME      Pcap file to parse
  -d DIR_PATH   Pcap directory to parse recursivly
  -i INTERFACE  interface for live capture
  -c            deactivate CC number scanning (Can gives false positives!)
  -t            Include a timestamp in all generated messages (useful for
                correlation)
  -v            More verbose.

Examples

sudo Pcredz -vf /tmp/winauth.pcap

This will attempt to extract creds or other interesting information from the provided pcap file. We can then use john or hashcat to crack the extracted NTLMv2 hash.

user@slingshot:~$ sudo Pcredz -vf /tmp/winauth.pcap
Starting PCredz...
Pcredz 2.0.2
Author: Laurent Gaffie
Please send bugs/comments/pcaps to: laurent.gaffie@gmail.com
This script will extract NTLM (HTTP,LDAP,SMB,MSSQL,RPC, etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.
 
CC number scanning activated
 
Using TCPDump format
 
protocol: tcp 192.168.78.129:58134 > 192.168.78.128:445
NTLMv2 complete hash is: clark::WORKGROUP:44a05f29e1c2534d:B86D2E3E3D8678A2DEB1E3D02AB2F510:010100000000000013DCEC4AA939D80164541AA67023DFDC0000000002001A00530045004300350036003000530054005500440045004E00540001001A00530045004300350036003000530054005500440045004E00540004001A00530065006300350036003000530074007500640065006E00740003001A00530065006300350036003000530074007500640065006E0074000700080013DCEC4AA939D8010600040002000000080030003000000000000000000000000000000090A0E4593F39BEEA0158A182FBAAF7F73CB2CFB5FF586EF3994BC0061253F54A0A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00370038002E0031003200380000000000
 
 
/tmp/winauth.pcap parsed in: 0.0382 seconds (File size 0.00506 Mo).

Additional Details

Stores output in /opt/pcredz/CredentialDump-Session.log
Also creates /opt/pcredz/logs directory with files named after the hash types found.

Blog Posts

Tag: network tools