Merge pull request #1 from DanMcInerney/master

Update
colinmcintosh · Mar 5, 2015 · 82ab45d · 82ab45d
2 parents 1f54dc6 + e42b8f3
commit 82ab45d
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,9 @@
-Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. Screenshots: http://imgur.com/opQo7Bb http://imgur.com/Kl5I6Ju
+Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. 
+
+| Screenshots |
+|:-----:|
+| ![Screenie1](http://imgur.com/opQo7Bb.png) |
+| ![Screenie2](http://imgur.com/Kl5I6Ju.png) |
 
 ###Sniffs
 
@@ -37,6 +42,23 @@ Read from pcap
 ```python net-creds.py -p pcapfile```
 
 
+####OSX
+
+Credit to [epocs](https://github.com/epocs):
+```
+sudo easy_install pip
+sudo pip install scapy
+sudo pip install pcapy
+brew install libdnet --with-python
+mkdir -p /Users/<username>/Library/Python/2.7/lib/python/site-packages
+echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/<username>/Library/Python/2.7/lib/python/site-packages/homebrew.pth
+sudo pip install pypcap
+brew tap brona/iproute2mac
+brew install iproute2mac
+```
+Then replace line 74 '/sbin/ip' with '/usr/local/bin/ip'.
+
+
 ####Thanks
 * Laurent Gaffie
 * psychomario
diff --git a/net-creds.py b/net-creds.py
@@ -23,14 +23,14 @@
 #from IPython import embed
 
 ##########################
-# Future hashes to parse:
+# Potention ToDo:
 # MySQL seed:hash
 # VNC
 # Oracle?
 # Add file carving from dissectors.py
 #########################
 
-# Unintentional code contributor shoutouts:
+# Unintentional code contributors:
 #     Laurent Gaffie
 #     psychomario
 
@@ -48,12 +48,12 @@
 ftp_pw_re = r'PASS (.+)\r\n'
 irc_user_re = r'NICK (.+?)((\r)?\n|\s)'
 irc_pw_re = r'NS IDENTIFY (.+)'
+irc_pw_re2 = 'nickserv :identify (.+)'
 mail_auth_re = '(\d+ )?(auth|authenticate) (login|plain)'
 mail_auth_re1 =  '(\d+ )?login '
 NTLMSSP2_re = 'NTLMSSP\x00\x02\x00\x00\x00.+'
 NTLMSSP3_re = 'NTLMSSP\x00\x03\x00\x00\x00.+'
 # Prone to false+ but prefer that to false-
-#http_search_re = '((search|query|\?s|&q|\?q|search\?p|searchterm|keywords|command)=([^&][^&]*))'
 http_search_re = '((search|query|&q|\?q|search\?p|searchterm|keywords|keyword|command|terms|keys|question|kwd|searchPhrase)=([^&][^&]*))'
 
 #Console colors
@@ -183,16 +183,13 @@ def pkt_parser(pkt):
             mail_creds_found = mail_logins(full_load, src_ip_port, dst_ip_port, ack, seq)
 
             # IRC
-            irc_creds = irc_logins(full_load)
+            irc_creds = irc_logins(full_load, pkt)
             if irc_creds != None:
                 printer(src_ip_port, dst_ip_port, irc_creds)
                 return
 
             # Telnet
             telnet_logins(src_ip_port, dst_ip_port, load, ack, seq)
-            #if telnet_creds != None:
-            #    printer(src_ip_port, dst_ip_port, telnet_creds)
-            #    return
 
         # HTTP and other protocols that run on TCP + a raw load
         other_parser(src_ip_port, dst_ip_port, full_load, ack, seq, pkt, parse_args().verbose)
@@ -531,19 +528,22 @@ def mail_logins(full_load, src_ip_port, dst_ip_port, ack, seq):
     if found == True:
         return True
 
-def irc_logins(full_load):
+def irc_logins(full_load, pkt):
     '''
     Find IRC logins
     '''
     user_search = re.match(irc_user_re, full_load)
     pass_search = re.match(irc_pw_re, full_load)
+    pass_search2 = re.search(irc_pw_re2, full_load.lower())
     if user_search:
         msg = 'IRC nick: %s' % user_search.group(1)
         return msg
     if pass_search:
         msg = 'IRC pass: %s' % pass_search.group(1)
-        printer(src_ip_port, dst_ip_port, msg)
-        return pass_search
+        return msg
+    if pass_search2:
+        msg = 'IRC pass: %s' % pass_search2.group(1)
+        return msg
 
 def other_parser(src_ip_port, dst_ip_port, full_load, ack, seq, pkt, verbose):
     '''
@@ -910,19 +910,6 @@ def get_login_pass(body):
     if user and passwd:
         return (user, passwd)
 
-def decode64(str_load):
-    '''
-    Decode base64 strings
-    '''
-    #remove \r\n\r\n
-    load = str_load.replace(r'\r\n', '')
-    try:
-        decoded = base64.b64decode(load)#.replace('\x00', ' ')#[1:] # delete space at beginning
-    except TypeError:
-        decoded = None
-    if decoded != None:
-        print ' Decoded: %s' % decoded
-
 def printer(src_ip_port, dst_ip_port, msg):
     if dst_ip_port != None:
         print_str = '[%s > %s] %s%s%s' % (src_ip_port, dst_ip_port, T, msg, W)

diff --git a/requirements.txt b/requirements.txt
@@ -1 +1,3 @@
-scapy
+pypcap==1.1.1
+scapy==2.3.1
+wsgiref==0.1.2