credential hunting in network trafic

BASCIS OF NETWORK PROTOCOLS !!

Unencrypted Protocol	Encrypted Counterpart	Description
HTTP	HTTPS	Used for transferring web pages and resources over the internet.
FTP	FTPS/SFTP	Used for transferring files between a client and a server.
SNMP	SNMPv3 (with encryption)	Used for monitoring and managing network devices like routers and switches.
POP3	POP3S	Retrieves emails from a mail server to a local client.
IMAP	IMAPS	Accesses and manages email messages directly on the mail server.
SMTP	SMTPS	Sends email messages from client to server or between mail servers.
LDAP	LDAPS	Queries and modifies directory services like user credentials and roles.
RDP	RDP (with TLS)	Provides remote desktop access to Windows systems.
DNS (Traditional)	DNS over HTTPS (DoH)	Resolves domain names into IP addresses.
SMB	SMB over TLS (SMB 3.0)	Shares files, printers, and other resources over a network.
VNC	VNC with TLS/SSL	Allows graphical remote control of another computer.

Wireshark

Wireshark filter	Description
ip.addr == 56.48.210.13	Filters packets with a specific IP address
tcp.port == 80	Filters packets by port (HTTP in this case).
http	Filters for HTTP traffic.
dns	Filters DNS traffic, which is useful to monitor domain name resolution.
tcp.flags.syn == 1 && tcp.flags.ack == 0	Filters SYN packets (used in TCP handshakes), useful for detecting scanning or connection attempts.
icmp	Filters ICMP packets (used for Ping), which can be useful for reconnaissance or network issues.
http.request.method == "POST"	Filters for HTTP POST requests. In the case that POST requests are sent over unencrypted HTTP, it may be the case that passwords or other sensitive information is contained within.
tcp.stream eq 53	Filters for a specific TCP stream. Helps track a conversation between two hosts.
eth.addr == 00:11:22:33:44:55	Filters packets from/to a specific MAC address.
ip.src == 192.168.24.3 && ip.dst == 56.48.210.3	Filters traffic between two specific IP addresses. Helps track communication between specific hosts.

For example, in the image below we are filtering for unencrypted HTTP traffic.

Network packet capture showing HTTP requests with source, destination, protocol, length, and info details.

In Wireshark, it's possible to locate packets that contain specific bytes or strings. One way to do this is by using a display filter such as http contains "passw". Alternatively, you can navigate to Edit > Find Packet and enter the desired search query manually. For example, you might search for packets containing the string "passw":

Network packet capture showing HTTP requests with details. Highlighted POST request includes HTML form data with username and password fields.

It's worth familiarizing yourself with the syntax of Wireshark's filtering engine, especially if you ever need to perform network traffic analysis.

1

Pcredz and also tshark (saw tshark on the reddit )

Pcredz is a tool that can be used to extract credentials from live traffic or network packet captures. Specifically, it supports extracting the following information:

https://github.com/lgandx/PCredz

• Credit card numbers

• POP credentials

• SMTP credentials

• IMAP credentials

• SNMP community strings

• FTP credentials

• Credentials from HTTP NTLM/Basic headers, as well as HTTP Forms

• NTLMv1/v2 hashes from various traffic including DCE-RPC, SMBv1/2, LDAP, MSSQL, and HTTP

• Kerberos (AS-REQ Pre-Auth etype 23) hashes

• read the following one ..........

• just clone the repository and then run the following command

apt install python3-pip && sudo apt install libpcap-dev && sudo apt install file && pip3 install Cython && pip3 install python-libpcap

• https://github.com/lgandx/PCredz?tab=readme-ov-file#install

./Pcredz -f demo.pcapng -t -v

2