π‘οΈ Methodology Checklist
- Capture with tcpdump:
sudo tcpdump -i [IFACE] -w capture.pcap - Filter for credentials: HTTP Basic auth, FTP, Telnet, SMTP AUTH
- PCredz on capture:
python3 pycredz.py -f capture.pcap - Analyse with Wireshark: filter
http.authorizationorftp.request.command == "PASS" - MITM with Responder for LLMNR/NBT-NS hash capture
- ARP spoofing for targeted capture (only in authorised scope)
- Document all clear-text credentials found in traffic
π― Operational Context
Use when: Network-level access obtained or MITM position achieved β capture and analyze traffic for plaintext credentials in HTTP, FTP, SMTP, LDAP.
Think Dumber First: tcpdump -i [IFACE] -w capture.pcap immediately after getting shell on a network-connected host. Then analyze with Wireshark. Look for: HTTP POST with password=, FTP AUTH, SMTP AUTH, LDAP Simple Bind, Telnet.
Skip when: All traffic is encrypted (TLS everywhere) β pivot to Responder for NTLM hash capture instead.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
./Pcredz -f capture.pcap | Auto-extract credentials from pcap file |
./Pcredz -i eth0 -v | Live credential capture on interface |
strings capture.pcap | grep -E "[0-9]{4}.[0-9]{4}.[0-9]{4}.[0-9]{4}" | Hunt credit card numbers in pcap |
| Filter | Finds |
|---|---|
ip.addr == [TARGET_IP] | Traffic to/from specific host |
tcp.port == 80 | HTTP traffic |
http.request.method == "POST" | Login form submissions |
http contains "password" | Packets containing password string |
ftp | FTP session (USER/PASS plaintext) |
snmp | SNMP community strings |
tcp.stream eq 5 | Follow a specific TCP conversation |
π¬ Deep Dive & Workflow
Wireshark display filters:
Vulnerable Protocols Reference
Internal networks still commonly run unencrypted services β these expose credentials in cleartext:
| Unencrypted | Encrypted Alternative | Whatβs Exposed |
|---|---|---|
| HTTP | HTTPS | Login form credentials |
| FTP | FTPS / SFTP | Usernames and passwords |
| SNMP v1/v2c | SNMPv3 | Community strings (used as passwords) |
| Telnet | SSH | Full session including credentials |
| LDAP | LDAPS | Bind DN credentials |
| POP3/IMAP/SMTP | Secure variants | Email credentials |
Wireshark Hunting Techniques
Finding HTTP login forms:
- Filter:
http.request.method == "POST" - Inspect
HTML Form URL Encodedsection in Packet Details - Or:
http matches "pass|user|login"
Finding FTP credentials:
- Filter:
ftp - Look for
USER [username]andPASS [password]commands - For transferred files: File β Export Objects β FTP-DATA β Save
Needle-in-haystack search (Ctrl+F in Wireshark):
- Set to: Packet Details β String
- Search:
Authorization,password,credentials,api_key
SNMP community strings:
- Filter:
snmp - Look for
communityStringfield in packet details
PCredz β Automated Extraction
Automatically extracts NTLM hashes, FTP, HTTP, SNMP, and credit card data from live traffic or saved captures:
# Install
git clone https://github.com/lgandx/PCredz.git
sudo apt install python3-pip libpcap-dev
pip3 install Cython python-libpcap
chmod +x Pcredz
# Against a file
./Pcredz -f capture.pcap
# Live capture
./Pcredz -i eth0 -vπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| tcpdump requires root | Low-privilege shell | If sudo allowed: sudo tcpdump ...; or check capabilities: getcap /usr/sbin/tcpdump |
| Capture file too large | Long capture duration | Limit: tcpdump -C 100 (100MB rotate) or capture only specific protocols: tcpdump port 80 or port 21 |
| No credentials in capture | All traffic encrypted | Pivot to Responder for NTLM: python Responder.py -I [IFACE] -A (analyze mode first) |
| Wireshark filter not finding creds | Wrong protocol assumption | Try: http.request.method == POST, ftp contains PASS, smtp.req.command == AUTH |
| Network interface not visible | NIC in wrong namespace or container | Check: ip link show; in Docker: nsenter --net=/proc/1/ns/net ip link |
π Reporting Trigger
Finding Title: Plaintext Credentials Captured via Network Traffic Analysis Impact: Unencrypted credential transmission over legacy protocols (HTTP Basic Auth, FTP, LDAP Simple Bind) exposes authentication credentials to any network observer with access to the segment, enabling immediate account compromise. Root Cause: Legacy protocols transmit credentials without encryption. No network segmentation preventing access to authentication traffic. Recommendation: Enforce TLS/encryption for all authentication protocols. Disable legacy plaintext protocols (Telnet, FTP, HTTP Basic Auth). Implement network segmentation to isolate authentication servers. Deploy network monitoring to detect plaintext credential transmission.