Overview

When we launch continuous penetration testing in a new network, we don't want to raise suspicion of our presence.

For one reason, we may be able to get credentials without doing anything intrusive at all. To do it, we use packet captures and some external tooling. Below, we’ll break down how to do it, along with a few of our favorite tools you can use.

Sniff The Network

To start a packet capture from terminal, do the following on your Dropbox:

  • Create a 'screen' sessions:

    screen -S pcap
  • Start the network capture for eight hours

    timeout 28800 tcpdump -i $IFACE -w $DATE-capture.pcap port not 22 and host $YOURI P
  • Let it run for however long you would like. We recommend you run it for the full first workday when starting a network penetration test.

Analyzing Output

We’ve listed a few tools you can use on your host or local machine for testing. Doing all analysis on your local host provides a bit more flexibility and access to the Wireshark GUI.

Prebellico

Prebellico is a great tool for mapping a network and extracting sensitive information from pcap files. Run the command below to extract information from the packet capture shown above.

PCredz

PCredz does similar things as Prebellico but also has some extra regular-expression credential extraction features. Installing this tool can be cumbersome, so feel free to use the script below to get it installed on Debian-based distributions.

0.6.4-1_amd64.deb
dpkg -i python-libpcap_0.6.4-1_amd64.deb
rm python-libpcap_0.6.4-1_amd64.deb

git clone https://github.com/lgandx/PCredz.git
cd PCredz

Use PCredz to extract data from our pcap file collected earlier.

./Pcredz -f file-to-parse.pcap | tee $DATE-pcredz.txt

NTLM(DCE-RPC, HTTP, SQL, LDAP, etc.), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP credentials and hashes will be printed too stdout and saved to a file.

Termshark

Why use termshark The tool’s creator says it best:

"If you're debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!"

termshark in use

The tool termshark allows you to analyze pcap files on the terminal in an ncurses-like interface. Install termshark commands below.

apt install tshark tcell gowid
go install github.com/gcla/termshark/v2/cmd/termshark

To read in a capture file to termshark use the command below.

termshark -r $PCAPFILE

Look for the following during analysis with termshark:

  • DHCPv6 broadcasts ( mitm6 )

  • NETBIOS / LLMNR broadcasts ( Responder )

  • Internal webservers with plaintext login forms

  • Peak user activity timeframes

Knowing this information will prevent the use of any attacks that won't work in the first place.

Need help with continuous penetration testing?

References

unixrox/prebellico 100% Passive Network Reconnaissance Tool When attacking, or defending modern internal networks, intelligence is everything. Understanding the environment to the best possible degree can be the difference between successfully penetrating, or defending, the target environment.

https://github.com/unixrox/prebellico

lgandx/PCredz This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc.), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc. from a pcap file.

https://github.com/lgandx/PCredz

gcla/termshark A terminal user-interface for tshark, inspired by Wireshark. V2.1 is out now with conversations, packet coloring and more! See the ChnageLog.

https://github.com/gcla/termshark
Manpage of PCAP Updated: 29 January 2020 Index Return to Main Contents pcap - Packet Capture library #include The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism.

https://www.tcpdump.org/manpages/pcap.3pcap.html