Cred Network protocols

Theory

Plaintext protocols (like HTTP, FTP, SNMP, SMTP) are widely used within organizations. Being able to capture and parse that traffic could offer attackers valuable information like sensitive files, passwords or hashes. There are many ways an attacker can obtain a man-in-the-middle position, ARP poisoning being the most common and effective one.

Practice

Once network traffic is hijacked and goes through an attacker-controlled equipement, valuable information can searched through captured (with tcpdump, tshark or wireshark) or through live traffic.

PCredz (Python) is a good example and allows extraction of credit card numbers, NTLM (DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23, i.e. ASREQroast), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

# extract credentials from a pcap file
Pcredz -f "file-to-parse.pcap"

# extract credentials from all pcap files in a folder
Pcredz -d "/path/to/pcaps/"

# extract credentials from a live packet capture on a network interface
Pcredz -i $INTERFACE -v

You can use tcpdump to capture raw packets and analyze them.

#Capture all traffic to a .pcap file:
tcpdump -i eth0 -w /tmp/capture.pcap

#Or target specific traffic types (e.g., SMB, LDAP, FTP):
tcpdump -i eth0 port 445 or port 389 or port 21 -w /tmp/capture.pcap

You can make it run for a while, then Ctrl+C to stop. The .pcap file can then be parsed offline using Pcredz or Wireshark.

Resources

GitHub - lgandx/PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.GitHub

Last updated 7 months ago

hashtagTheory

hashtagPractice

hashtagResources

Theory

Practice

Resources