Convert Figma logo to code with AI

lgandx logoPCredz

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

2,397
447
2,397
1
View on GitHub

Top Related Projects

byt3bl33d3r's avatar

MITMf

3,634

Framework for Man-In-The-Middle attacks

kgretzky's avatar

evilginx2

14,081

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

moxie0's avatar

sslstrip

2,024

A tool for exploiting Moxie Marlinspike's SSL "stripping" attack.

bettercap's avatar

bettercap

18,715

The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.

trustedsec's avatar

social-engineer-toolkit

12,590

The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here.

Quick Overview

PCredz is a network packet sniffer and credential extraction tool designed to capture and analyze network traffic for sensitive information. It focuses on extracting credentials from various protocols and services, including HTTP, SMTP, POP3, IMAP, Telnet, and more.

Pros

  • Supports a wide range of protocols and services for credential extraction
  • Can be used with live network traffic or PCAP files
  • Lightweight and easy to use
  • Actively maintained and updated

Cons

  • Potential for misuse in unauthorized network monitoring
  • May trigger antivirus or intrusion detection systems
  • Requires root/administrator privileges to capture live network traffic
  • Limited documentation for advanced usage scenarios

Code Examples

# Example 1: Sniffing live network traffic
sudo python3 Pcredz -i eth0

# Example 2: Analyzing a PCAP file
python3 Pcredz -f /path/to/capture.pcap

# Example 3: Filtering specific protocols
python3 Pcredz -i eth0 -v -t http,ftp

Getting Started

  1. Clone the repository:

    git clone https://github.com/lgandx/PCredz.git

  2. Install dependencies:

    cd PCredz
pip3 install -r requirements.txt

  3. Run PCredz (requires root/administrator privileges):

    sudo python3 Pcredz -i <interface_name>

Replace <interface_name> with the name of your network interface (e.g., eth0, wlan0).

Competitor Comparisons

byt3bl33d3r logo

MITMf

3,634

Framework for Man-In-The-Middle attacks

Pros of MITMf

  • More comprehensive feature set, including multiple attack modules
  • Active development and community support
  • Extensible plugin architecture for custom modules

Cons of MITMf

  • More complex setup and configuration
  • Potentially overwhelming for beginners
  • Larger codebase, which may impact performance on resource-constrained systems

Code Comparison

MITMf:

from core.sslstrip.DnsCache import DnsCache
from core.sslstrip.URLMonitor import URLMonitor
from core.utils import *

class Plugin(Plugin):
    name = "SSLstrip+"
    optname = "sslstrip"
    implements = ["handleRequest", "handleResponse", "handleHeader"]

PCredz:

def start_sniffer():
    if args.interface:
        sniff(iface=args.interface, prn=pkt_parser, store=0)
    else:
        sniff(prn=pkt_parser, store=0)

def pkt_parser(pkt):
    if pkt.haslayer(TCP) and pkt.haslayer(Raw) and pkt.haslayer(IP):
        parse_pkt(pkt)

MITMf offers a more structured plugin-based approach, while PCredz focuses on a simpler packet sniffing implementation. MITMf's code demonstrates its extensibility, whereas PCredz showcases a more straightforward packet parsing method.

kgretzky logo

evilginx2

14,081

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

Pros of evilginx2

  • More advanced phishing capabilities with real-time session hijacking
  • Supports multiple target websites and custom phishing templates
  • Active development and regular updates

Cons of evilginx2

  • Steeper learning curve and more complex setup
  • Requires more resources to run effectively
  • May be considered more invasive and potentially illegal in some jurisdictions

Code Comparison

PCredz (Python):

def parse_pcap(pcap_file):
    try:
        a = rdpcap(pcap_file)
        sessions = a.sessions()
        for session in sessions:
            for packet in sessions[session]:
                try:
                    if packet.haslayer(TCP) and packet.haslayer(Raw):
                        packet_data = packet[Raw].load

evilginx2 (Go):

func (p *HttpProxy) handleClient(client net.Conn) {
    defer client.Close()
    ctx := &Context{
        Params:   make(map[string]string),
        Cookies:  make(map[string]*http.Cookie),
        UserAgent: "",
    }
    p.httpredir.HandleClientRequest(client, ctx)

Both tools are used for credential harvesting, but evilginx2 offers more sophisticated phishing capabilities at the cost of increased complexity. PCredz focuses on passive network sniffing, while evilginx2 actively manipulates traffic for real-time session hijacking.

moxie0 logo

sslstrip

2,024

A tool for exploiting Moxie Marlinspike's SSL "stripping" attack.

Pros of sslstrip

  • Focuses specifically on SSL/TLS stripping attacks
  • Lightweight and easy to use
  • Well-established tool with a long history in the security community

Cons of sslstrip

  • Less actively maintained compared to PCredz
  • More limited in scope, focusing only on SSL/TLS stripping
  • May not capture as wide a range of credentials as PCredz

Code Comparison

sslstrip:

def handleRequest(self, request):
    logging.debug("Handling request: %s" % request)
    client = self.getClientIP(request)
    self.stripSSL(request)

PCredz:

def start(self):
    self.start_sniffer()
    self.parse_pcap()
    self.print_credentials()

Key Differences

PCredz is a more comprehensive tool for capturing various types of credentials from network traffic, while sslstrip focuses specifically on SSL/TLS stripping attacks. PCredz is more actively maintained and updated, offering broader functionality for credential harvesting across different protocols. sslstrip, while more specialized, remains a popular choice for its specific use case in SSL/TLS attacks.

Both tools serve different purposes within the realm of network security testing and should be chosen based on the specific requirements of the task at hand. PCredz is better suited for general credential capturing, while sslstrip excels in scenarios where SSL/TLS stripping is the primary objective.

bettercap logo

bettercap

18,715

The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.

Pros of Bettercap

  • More comprehensive network attack and monitoring tool
  • Actively maintained with frequent updates
  • Supports a wider range of protocols and attack vectors

Cons of Bettercap

  • Steeper learning curve due to more complex features
  • Requires more system resources to run effectively
  • May be overkill for simple credential sniffing tasks

Code Comparison

PCredz (Python):

def parse_pcap(pcap_file):
    try:
        a = rdpcap(pcap_file)
        sessions = a.sessions()
        for session in sessions:
            for packet in sessions[session]:
                # Packet processing logic

Bettercap (Go):

func (mod *HttpProxy) onPacket(pkt gopacket.Packet) {
    if mod.isHTTPRequest(pkt) {
        req := mod.parseRequest(pkt)
        if req != nil {
            // Request processing logic

Both tools process network packets, but Bettercap's implementation is more modular and type-safe due to Go's strong typing. PCredz focuses specifically on credential extraction, while Bettercap offers a broader range of network manipulation capabilities.

trustedsec logo

social-engineer-toolkit

12,590

The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here.

Pros of Social-Engineer Toolkit

  • Comprehensive suite of social engineering tools
  • User-friendly interface with menu-driven options
  • Regularly updated with new features and attack vectors

Cons of Social-Engineer Toolkit

  • Larger footprint and more complex setup
  • Requires more system resources
  • Steeper learning curve for beginners

Code Comparison

Social-Engineer Toolkit:

# Example of a phishing attack setup
choice = input("Select attack vector: ")
if choice == "1":
    site = input("Enter site to clone: ")
    clone_site(site)

PCredz:

# Example of credential extraction
for pkt in packets:
    if pkt.haslayer(TCP) and pkt.haslayer(Raw):
        process_packet(pkt)

Key Differences

  • PCredz focuses specifically on credential extraction from network traffic
  • Social-Engineer Toolkit offers a broader range of social engineering attacks
  • PCredz is more lightweight and easier to integrate into existing workflows
  • Social-Engineer Toolkit provides a more guided experience for less experienced users

Both tools serve different purposes within the realm of security testing and should be chosen based on the specific requirements of the task at hand.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

PCredz 2.1.0

PCredz extracts credentials and authentication tokens from network traffic (PCAP files or live capture).

Features

Supported Protocols

Extract credentials from both IPv4 and IPv6 traffic:

  • NTLM: NTLMv1/v2 hashes from HTTP, SMB, LDAP, MSSQL, DCE-RPC, and more
  • Kerberos: AS-REQ Pre-Auth (etype 23) hashes
  • HTTP: Basic authentication, form fields (passwords, API keys, tokens)
  • FTP: USER/PASS commands
  • IRC: NICK/USER/PASS authentication
  • SMTP: AUTH PLAIN and AUTH LOGIN
  • IMAP: LOGIN authentication
  • POP3: USER/PASS commands
  • LDAP: Simple Bind (plaintext passwords)
  • SNMP: Community strings (v1/v2c)
  • MSSQL: TDS protocol authentication
  • Credit Cards: Card number extraction (optional)

Output Formats

  • Hashcat compatible: All hashes formatted for direct use with hashcat
    • NTLMv1: -m 5500
    • NTLMv2: -m 5600
    • Kerberos: -m 7500
  • Organized logs: Separate files for each credential type in logs/ directory
  • Session log: Complete timeline in CredentialDump-Session.log
  • Deduplication: Same credentials only logged once (unless -v flag used)

Link Layer Support

  • Ethernet (DLT_EN10MB)
  • Linux Cooked Capture (DLT_LINUX_SLL)
  • Raw IP (DLT_RAW)
  • Automatic detection of link layer type

Installation

Docker (Recommended)

# Build the container
docker build -t pcredz .

# Run with current directory mounted
docker run --rm -v $(pwd):/data pcredz -f /data/capture.pcap

# For live capture (requires --net=host)
docker run --rm --net=host -v $(pwd):/data pcredz -i eth0 -v

Linux

Debian/Ubuntu:

sudo apt-get install python3-pip libpcap-dev
pip3 install pcapy-ng

Fedora/RHEL:

sudo dnf install python3-pip libpcap-devel
pip3 install pcapy-ng

Arch Linux:

sudo pacman -S python-pip libpcap
pip3 install pcapy-ng

Usage

Basic Examples

# Parse a single PCAP file
./Pcredz -f capture.pcap

# Parse all PCAP files in a directory (recursive)
./Pcredz -d /path/to/pcap/directory/

# Live capture on an interface (requires root)
sudo ./Pcredz -i eth0

# Verbose mode (show duplicate credentials)
./Pcredz -f capture.pcap -v

# Custom output directory
./Pcredz -f capture.pcap -o /tmp/pcredz-output/

Options

Required (choose one):
  -f FILE         PCAP file to parse
  -d DIR          Directory to parse recursively
  -i INTERFACE    Interface for live capture

Optional:
  -v              Verbose mode (print duplicate credentials)
  -t              Print timestamps
  -o DIR          Output directory for logs (default: ./)
  -c              Disable credit card scanning
  --disable PROTO Disable protocol (can be used multiple times)
                  Options: NTLM, HTTP, FTP, IRC, LDAP, SMTP, Kerberos, SNMP, MSSQL
  --exclude-host IP  Exclude host IP from capture (can be used multiple times)
  -h              Show help message

Output Files

All credentials are saved to the logs/ directory:

logs/
├── NTLMv1.txt              # NTLMv1 hashes (hashcat -m 5500)
├── NTLMv2.txt              # NTLMv2 hashes (hashcat -m 5600)
├── MSKerb.txt              # Kerberos hashes (hashcat -m 7500)
├── HTTP-Basic.txt          # HTTP Basic auth credentials
├── HTTP-PasswordFields.txt # HTTP form fields and API keys
├── FTP-Plaintext.txt       # FTP credentials
├── IRC-Plaintext.txt       # IRC credentials
├── SMTP-Plaintext.txt      # SMTP credentials
├── LDAP-Simple.txt         # LDAP Simple Bind credentials
├── MSSQL-Plaintext.txt     # MSSQL credentials
└── SNMPv1.txt              # SNMP community strings

Plus a session log:

CredentialDump-Session.log  # Complete session with timestamps

Examples

Extract NTLM Hashes

./Pcredz -f capture.pcap

# Output:
# 192.168.1.10:445 > 192.168.1.20:1024
# NTLMv2 complete hash is: admin::DOMAIN:1122334455667788:ABC123...

# Use with hashcat:
hashcat -m 5600 logs/NTLMv2.txt wordlist.txt

Live Capture

sudo ./Pcredz -i eth0 -v

# Captures and displays credentials in real-time
# Press Ctrl+C to stop

Bulk Processing

# Process all PCAPs in a directory tree
./Pcredz -d /forensics/network-captures/

# Parsing /forensics/network-captures/day1/morning.pcap...
# Parsing /forensics/network-captures/day1/afternoon.pcap...
# ...

Protocol Filtering

# Disable specific protocols (reduce noise)
./Pcredz -f capture.pcap --disable HTTP --disable SNMP

# Only capture NTLM hashes
./Pcredz -f capture.pcap --disable HTTP --disable FTP --disable IRC \
  --disable LDAP --disable SMTP --disable Kerberos --disable SNMP --disable MSSQL

# Focus on cleartext credentials only
./Pcredz -f capture.pcap --disable NTLM --disable Kerberos

Host Exclusion

# Exclude your own IP during live capture (common use case)
sudo ./Pcredz -i eth0 --exclude-host 192.168.1.50 -v

# Exclude multiple hosts
./Pcredz -f capture.pcap --exclude-host 192.168.1.100 --exclude-host 10.0.0.5

# Pentesting: capture target credentials, not your own
sudo ./Pcredz -i eth0 --exclude-host $(hostname -I | awk '{print $1}') -v

Performance

Optimizations

  • File I/O caching: Avoids redundant file reads (10-100x speedup)
  • Regex pre-compilation: Compiled patterns cached (2-5x speedup)
  • Smart deduplication: In-memory tracking of seen credentials
  • Link layer detection: Auto-detects and caches offset (minimal overhead)

Benchmarks

Typical performance on modern hardware:

  • Small files (<10MB): <1 second
  • Medium files (100MB): 5-10 seconds
  • Large files (1GB+): 1-2 minutes
  • Live capture: 5,000-10,000 packets/second

Troubleshooting

pcapy-ng Not Found

pip3 install pcapy-ng
# If that fails:
pip3 install --break-system-packages pcapy-ng

Permission Denied (Live Capture)

Live capture requires root privileges:

sudo ./Pcredz -i eth0

No Credentials Found

  • Verify the PCAP contains the expected protocols (use Wireshark)
  • Check that traffic isn't encrypted (HTTPS, SSH, etc.)
  • Try verbose mode (-v) to see all activity
  • Check the link layer type is supported

Contributing

Found a bug or want to add a feature? Contributions welcome!

  1. Test your changes thoroughly
  2. Follow the existing code style
  3. Add examples for new features
  4. Update documentation

License

GNU General Public License v3.0

Author

Laurent Gaffie