def test_telnet(self):
credentials_list = process_pcap(
"samples/telnet-cooked.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(Credentials('fake', 'user') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
credentials_list = process_pcap(
"samples/telnet-raw.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(Credentials('fake', 'user') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
credentials_list = process_pcap(
"samples/telnet-raw2.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials('Administrator', 'napier') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
credentials_list = process_pcap(
"samples/telnet.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials('shellcode', 'shellcode') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
def test_pgsql(self):
credentials_list = process_pcap(
"samples/pgsql.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials("oryx",
hash="ceffc01dcde7541829deef6b5e9c9142",
context={
"salt": "ad44ff54",
"auth_type": "md5",
"database": "mailstore"
}) in credentials_list)
self.assertTrue(
Credentials("oryx",
hash="f8f8b884b4ef7cc9ee95e69868cdfa5e",
context={
"salt": "f211a3ed",
"auth_type": "md5",
"database": "mailstore"
}) in credentials_list)
self.assertTrue(len(credentials_list) == 2)
credentials_list = process_pcap(
"samples/pgsql-nopassword.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials("user", context={"database": "dbdb"}) in
credentials_list)
self.assertTrue(len(credentials_list) == 1)
def test_snmp(self):
credentials_list = process_pcap(
"samples/snmp-v1.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(Credentials(password="******") in credentials_list)
self.assertTrue(len(credentials_list) == 1)
credentials_list = process_pcap(
"samples/snmp-v3.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(Credentials(username="******") in credentials_list)
self.assertTrue(Credentials(username="******") in credentials_list)
self.assertTrue(Credentials(username="******") in credentials_list)
self.assertTrue(Credentials(username="******") in credentials_list)
self.assertTrue(len(credentials_list) == 4)
def test_http_post_auth(self):
credentials_list = process_pcap(
"samples/http-post-auth.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials('toto', 'Str0ngP4ssw0rd') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
def test_imap(self):
credentials_list = process_pcap(
"samples/imap.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials('neulingern', 'XXXXXX') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
def test_ftp(self):
credentials_list = process_pcap(
"samples/ftp.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials('anonymous', '*****@*****.**') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
def test_pop(self):
credentials_list = process_pcap(
"samples/pop3.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials('*****@*****.**', 'napier123') in
credentials_list)
self.assertTrue(len(credentials_list) == 2)
def test_smtp(self):
credentials_list = process_pcap(
"samples/smtp.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials('*****@*****.**', 'punjab@123') in
credentials_list)
self.assertTrue(len(credentials_list) == 1)
def test_http_basic_auth(self):
credentials_list = process_pcap(
"samples/http-basic-auth.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(Credentials('test', 'test') in credentials_list)
self.assertFalse(Credentials('test', 'fail') in credentials_list)
self.assertFalse(Credentials('test', 'fail2') in credentials_list)
self.assertFalse(Credentials('test', 'fail3') in credentials_list)
self.assertTrue(len(credentials_list) == 6)
def test_protocol_decode_as(self):
from credslayer.core import manager
credentials_list = manager.process_pcap(
"samples/telnet-hidden.pcap",
decode_as={
"tcp.port==1337": "telnet"
}).get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials("shellcode", "shellcode") in credentials_list)
def test_ldap(self):
credentials_list = process_pcap(
"samples/ldap-simpleauth.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials("*****@*****.**", "passwor8d1") in
credentials_list)
self.assertTrue(
Credentials(
"CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,"
"DC=xxx,DC=xxxxx,DC=net", "/dev/rdsk/c0t0d0s0") in
credentials_list)
self.assertTrue(len(credentials_list) == 2)
def test_mysql(self):
credentials_list = process_pcap(
"samples/mysql.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials("tfoerste",
hash="eefd6d5562851bc5966a0b41236ae3f2315efcc4",
context={
"salt": ">~$4uth,",
"salt2": ">612IWZ>fhWX"
}) in credentials_list)
self.assertTrue(len(credentials_list) == 1)
credentials_list = process_pcap(
"samples/mysql2.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(
Credentials("user10",
hash="55ee72f0c6694cbb3a104eb97f8ee32a6a91f8b1",
context={
"salt": "]E!r<uX8",
"salt2": "Of2c!tIM)\"n'"
}) in credentials_list)
self.assertTrue(len(credentials_list) == 1)
def main():
parser = build_argument_parser()
args = parser.parse_args()
if args.listen:
if args.pcapfiles:
parser.error(
"You cannot specify pcap files to analyse and listen at the same time"
)
else:
if not args.pcapfiles:
parser.error("Nothing to do...")
if args.listen_output:
parser.error(
"Cannot specify --listen-output/-lo if not in listening mode")
string_inspection = None
if args.string_inspection == "enable":
string_inspection = True
elif args.string_inspection == "disable":
string_inspection = False
ip_filter = None
if args.filter:
# tshark display filter
try:
socket.inet_aton(args.filter)
ip_filter = "ip.src == {0} or ip.dst == {0}".format(args.filter)
except socket.error:
try:
socket.inet_pton(socket.AF_INET6, args.filter)
ip_filter = "ipv6.src == {0} or ipv6.dst == {0}".format(
args.filter)
except socket.error:
parser.error("Invalid IP address filter")
# dumpcap capture filter
if args.listen:
ip_filter = "host " + args.filter
decode_map = None
if args.map:
decode_map = {}
for m in args.map:
tokens = m.split(":")
if len(tokens) != 2:
parser.error("Invalid port mapping")
decode_map["tcp.port==" + tokens[0]] = tokens[1]
logger.info(
"CredSLayer will decode traffic on '{}' as '{}'".format(
*tokens))
if args.output:
if os.path.isfile(args.output):
parser.error(args.output + " already exists")
logger.OUTPUT_FILE = open(args.output, "w")
if args.listen:
if os.geteuid() != 0:
print("You must be root to listen on an interface.")
exit(1)
if args.listen_output and os.path.isfile(args.listen_output):
parser.error(args.listen_output + " already exists")
manager.active_processing(args.listen,
must_inspect_strings=string_inspection,
tshark_filter=ip_filter,
debug=args.debug,
decode_as=decode_map,
pcap_output=args.listen_output)
exit(0)
for pcap in args.pcapfiles:
try:
manager.process_pcap(pcap,
must_inspect_strings=string_inspection,
tshark_filter=ip_filter,
debug=args.debug,
decode_as=decode_map)
except Exception as e:
error_str = str(e)
if error_str.startswith("[Errno"): # Clean error message
errno_end_index = error_str.find("]") + 2
error_str = error_str[errno_end_index:]
logger.error(error_str)
else:
traceback.print_exc()
if logger.OUTPUT_FILE:
logger.OUTPUT_FILE.close()
def test_http_get_auth(self):
credentials_list = process_pcap(
"samples/http-get-auth.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(Credentials('admin', 'qwerty1234') in credentials_list)
self.assertTrue(len(credentials_list) == 1)
def test_ntlmssp(self):
credentials_list = process_pcap(
"samples/smb-ntlm.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(credentials_list == [
Credentials(
context={'version': 'NETNTLMv2'},
hash="Willi Wireshark::DESKTOP-2AEFM7G:78f8f6206e882559:8149b0"
"b2a73a191141bda07d1ed18434:01010000000000000bd7d7878527d"
"201146f94347775321c0000000002001e004400450053004b0054004"
"f0050002d00560031004600410030005500510001001e00440045005"
"3004b0054004f0050002d00560031004600410030005500510004001"
"e004400450053004b0054004f0050002d00560031004600410030005"
"500510003001e004400450053004b0054004f0050002d00560031004"
"6004100300055005100070008000bd7d7878527d2010600040002000"
"0000800300030000000000000000100000000200000ad865b6d08a95"
"d0e76a94e2ca013ab3f69c4fd945cca01b277700fd2b305ca010a001"
"00000000000000000000000000000000000090028006300690066007"
"3002f003100390032002e003100360038002e003100390039002e003"
"10033003300000000000000000000000000")
])
credentials_list = process_pcap(
"samples/smb-ntlm2.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(credentials_list == [
Credentials(
context={'version': 'NETNTLMv2'},
hash="administrator:::26de2c0b3abaaa1c:711d6cb05614bc240ca7e2a"
"38568ff85:0101000000000000e652e41aa7b4d401dac9a62e4db292"
"6b000000000200060046004f004f000100100044004600530052004f"
"004f00540031000400100066006f006f002e00740065007300740003"
"00220064006600730072006f006f00740031002e0066006f006f002e"
"0074006500730074000500100066006f006f002e0074006500730074"
"0007000800e652e41aa7b4d40100000000")
])
credentials_list = process_pcap(
"samples/smb-ntlm3.pcap").get_list_of_all_credentials()
print(credentials_list)
self.assertTrue(credentials_list == [
Credentials(
context={'version': 'NETNTLMv1'},
hash="administrator::VNET3:42c09b264cbc46690000000000000000000"
"0000000000000:9cd7e4af2d7e934adc9b307231a958539b3d2c368b"
"964cea:28a3a326a53fa6f5")
])
remaining_credentials = process_pcap(
"samples/http-ntlm.pcap").get_remaining_content()
remaining_credentials = [c[1] for c in remaining_credentials
] # Only get Credentials from the tuple
print(remaining_credentials)
self.assertTrue(len(remaining_credentials) == 6)
self.assertTrue(
Credentials(
hash=
"administrator::example:ea46e3a07ea448d200000000000000000000000000000000:"
"4d626ea83a02eee710571a2b84241788bd21e3a66ddbf4a5"
":CHALLENGE_NOT_FOUND") in remaining_credentials)
