def test_telnet(self): credentials_list = process_pcap( "samples/telnet-cooked.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(Credentials('fake', 'user') in credentials_list) self.assertTrue(len(credentials_list) == 1) credentials_list = process_pcap( "samples/telnet-raw.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(Credentials('fake', 'user') in credentials_list) self.assertTrue(len(credentials_list) == 1) credentials_list = process_pcap( "samples/telnet-raw2.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials('Administrator', 'napier') in credentials_list) self.assertTrue(len(credentials_list) == 1) credentials_list = process_pcap( "samples/telnet.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials('shellcode', 'shellcode') in credentials_list) self.assertTrue(len(credentials_list) == 1)
def test_pgsql(self): credentials_list = process_pcap( "samples/pgsql.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials("oryx", hash="ceffc01dcde7541829deef6b5e9c9142", context={ "salt": "ad44ff54", "auth_type": "md5", "database": "mailstore" }) in credentials_list) self.assertTrue( Credentials("oryx", hash="f8f8b884b4ef7cc9ee95e69868cdfa5e", context={ "salt": "f211a3ed", "auth_type": "md5", "database": "mailstore" }) in credentials_list) self.assertTrue(len(credentials_list) == 2) credentials_list = process_pcap( "samples/pgsql-nopassword.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials("user", context={"database": "dbdb"}) in credentials_list) self.assertTrue(len(credentials_list) == 1)
def test_snmp(self): credentials_list = process_pcap( "samples/snmp-v1.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(Credentials(password="******") in credentials_list) self.assertTrue(len(credentials_list) == 1) credentials_list = process_pcap( "samples/snmp-v3.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(Credentials(username="******") in credentials_list) self.assertTrue(Credentials(username="******") in credentials_list) self.assertTrue(Credentials(username="******") in credentials_list) self.assertTrue(Credentials(username="******") in credentials_list) self.assertTrue(len(credentials_list) == 4)
def test_http_post_auth(self): credentials_list = process_pcap( "samples/http-post-auth.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials('toto', 'Str0ngP4ssw0rd') in credentials_list) self.assertTrue(len(credentials_list) == 1)
def test_imap(self): credentials_list = process_pcap( "samples/imap.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials('neulingern', 'XXXXXX') in credentials_list) self.assertTrue(len(credentials_list) == 1)
def test_ftp(self): credentials_list = process_pcap( "samples/ftp.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials('anonymous', '*****@*****.**') in credentials_list) self.assertTrue(len(credentials_list) == 1)
def test_pop(self): credentials_list = process_pcap( "samples/pop3.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials('*****@*****.**', 'napier123') in credentials_list) self.assertTrue(len(credentials_list) == 2)
def test_smtp(self): credentials_list = process_pcap( "samples/smtp.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials('*****@*****.**', 'punjab@123') in credentials_list) self.assertTrue(len(credentials_list) == 1)
def test_http_basic_auth(self): credentials_list = process_pcap( "samples/http-basic-auth.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(Credentials('test', 'test') in credentials_list) self.assertFalse(Credentials('test', 'fail') in credentials_list) self.assertFalse(Credentials('test', 'fail2') in credentials_list) self.assertFalse(Credentials('test', 'fail3') in credentials_list) self.assertTrue(len(credentials_list) == 6)
def test_protocol_decode_as(self): from credslayer.core import manager credentials_list = manager.process_pcap( "samples/telnet-hidden.pcap", decode_as={ "tcp.port==1337": "telnet" }).get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials("shellcode", "shellcode") in credentials_list)
def test_ldap(self): credentials_list = process_pcap( "samples/ldap-simpleauth.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials("*****@*****.**", "passwor8d1") in credentials_list) self.assertTrue( Credentials( "CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx," "DC=xxx,DC=xxxxx,DC=net", "/dev/rdsk/c0t0d0s0") in credentials_list) self.assertTrue(len(credentials_list) == 2)
def test_mysql(self): credentials_list = process_pcap( "samples/mysql.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials("tfoerste", hash="eefd6d5562851bc5966a0b41236ae3f2315efcc4", context={ "salt": ">~$4uth,", "salt2": ">612IWZ>fhWX" }) in credentials_list) self.assertTrue(len(credentials_list) == 1) credentials_list = process_pcap( "samples/mysql2.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue( Credentials("user10", hash="55ee72f0c6694cbb3a104eb97f8ee32a6a91f8b1", context={ "salt": "]E!r<uX8", "salt2": "Of2c!tIM)\"n'" }) in credentials_list) self.assertTrue(len(credentials_list) == 1)
def main(): parser = build_argument_parser() args = parser.parse_args() if args.listen: if args.pcapfiles: parser.error( "You cannot specify pcap files to analyse and listen at the same time" ) else: if not args.pcapfiles: parser.error("Nothing to do...") if args.listen_output: parser.error( "Cannot specify --listen-output/-lo if not in listening mode") string_inspection = None if args.string_inspection == "enable": string_inspection = True elif args.string_inspection == "disable": string_inspection = False ip_filter = None if args.filter: # tshark display filter try: socket.inet_aton(args.filter) ip_filter = "ip.src == {0} or ip.dst == {0}".format(args.filter) except socket.error: try: socket.inet_pton(socket.AF_INET6, args.filter) ip_filter = "ipv6.src == {0} or ipv6.dst == {0}".format( args.filter) except socket.error: parser.error("Invalid IP address filter") # dumpcap capture filter if args.listen: ip_filter = "host " + args.filter decode_map = None if args.map: decode_map = {} for m in args.map: tokens = m.split(":") if len(tokens) != 2: parser.error("Invalid port mapping") decode_map["tcp.port==" + tokens[0]] = tokens[1] logger.info( "CredSLayer will decode traffic on '{}' as '{}'".format( *tokens)) if args.output: if os.path.isfile(args.output): parser.error(args.output + " already exists") logger.OUTPUT_FILE = open(args.output, "w") if args.listen: if os.geteuid() != 0: print("You must be root to listen on an interface.") exit(1) if args.listen_output and os.path.isfile(args.listen_output): parser.error(args.listen_output + " already exists") manager.active_processing(args.listen, must_inspect_strings=string_inspection, tshark_filter=ip_filter, debug=args.debug, decode_as=decode_map, pcap_output=args.listen_output) exit(0) for pcap in args.pcapfiles: try: manager.process_pcap(pcap, must_inspect_strings=string_inspection, tshark_filter=ip_filter, debug=args.debug, decode_as=decode_map) except Exception as e: error_str = str(e) if error_str.startswith("[Errno"): # Clean error message errno_end_index = error_str.find("]") + 2 error_str = error_str[errno_end_index:] logger.error(error_str) else: traceback.print_exc() if logger.OUTPUT_FILE: logger.OUTPUT_FILE.close()
def test_http_get_auth(self): credentials_list = process_pcap( "samples/http-get-auth.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(Credentials('admin', 'qwerty1234') in credentials_list) self.assertTrue(len(credentials_list) == 1)
def test_ntlmssp(self): credentials_list = process_pcap( "samples/smb-ntlm.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(credentials_list == [ Credentials( context={'version': 'NETNTLMv2'}, hash="Willi Wireshark::DESKTOP-2AEFM7G:78f8f6206e882559:8149b0" "b2a73a191141bda07d1ed18434:01010000000000000bd7d7878527d" "201146f94347775321c0000000002001e004400450053004b0054004" "f0050002d00560031004600410030005500510001001e00440045005" "3004b0054004f0050002d00560031004600410030005500510004001" "e004400450053004b0054004f0050002d00560031004600410030005" "500510003001e004400450053004b0054004f0050002d00560031004" "6004100300055005100070008000bd7d7878527d2010600040002000" "0000800300030000000000000000100000000200000ad865b6d08a95" "d0e76a94e2ca013ab3f69c4fd945cca01b277700fd2b305ca010a001" "00000000000000000000000000000000000090028006300690066007" "3002f003100390032002e003100360038002e003100390039002e003" "10033003300000000000000000000000000") ]) credentials_list = process_pcap( "samples/smb-ntlm2.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(credentials_list == [ Credentials( context={'version': 'NETNTLMv2'}, hash="administrator:::26de2c0b3abaaa1c:711d6cb05614bc240ca7e2a" "38568ff85:0101000000000000e652e41aa7b4d401dac9a62e4db292" "6b000000000200060046004f004f000100100044004600530052004f" "004f00540031000400100066006f006f002e00740065007300740003" "00220064006600730072006f006f00740031002e0066006f006f002e" "0074006500730074000500100066006f006f002e0074006500730074" "0007000800e652e41aa7b4d40100000000") ]) credentials_list = process_pcap( "samples/smb-ntlm3.pcap").get_list_of_all_credentials() print(credentials_list) self.assertTrue(credentials_list == [ Credentials( context={'version': 'NETNTLMv1'}, hash="administrator::VNET3:42c09b264cbc46690000000000000000000" "0000000000000:9cd7e4af2d7e934adc9b307231a958539b3d2c368b" "964cea:28a3a326a53fa6f5") ]) remaining_credentials = process_pcap( "samples/http-ntlm.pcap").get_remaining_content() remaining_credentials = [c[1] for c in remaining_credentials ] # Only get Credentials from the tuple print(remaining_credentials) self.assertTrue(len(remaining_credentials) == 6) self.assertTrue( Credentials( hash= "administrator::example:ea46e3a07ea448d200000000000000000000000000000000:" "4d626ea83a02eee710571a2b84241788bd21e3a66ddbf4a5" ":CHALLENGE_NOT_FOUND") in remaining_credentials)