Extracting Passwords from the Network
Credential Hunting in Network Traffic
The table below lists several common protocols alongside their encrypted counterparts. While it is now more common to encounter the secure versions, there was a time when plaintext protocols were widely used.
HTTP
HTTPS
Used for transferring web pages and resources over the internet.
FTP
FTPS/SFTP
Used for transferring files between a client and a server.
SNMP
SNMPv3 (with encryption)
Used for monitoring and managing network devices like routers and switches.
POP3
POP3S
Retrieves emails from a mail server to a local client.
IMAP
IMAPS
Accesses and manages email messages directly on the mail server.
SMTP
SMTPS
Sends email messages from client to server or between mail servers.
LDAP
LDAPS
Queries and modifies directory services like user credentials and roles.
RDP
RDP (with TLS)
Provides remote desktop access to Windows systems.
DNS (Traditional)
DNS over HTTPS (DoH)
Resolves domain names into IP addresses.
SMB
SMB over TLS (SMB 3.0)
Shares files, printers, and other resources over a network.
VNC
VNC with TLS/SSL
Allows graphical remote control of another computer.
Wireshark
Wireshark is a well-known packet analyzer that comes pre-installed in nearly all penetration testing Linux distributions. It features a powerful filter engine that allows for efficient searching through both live and captured network traffic. Some basic but useful filters include:
ip.addr == 56.48.210.13
Filters packets with a specific IP address
tcp.port == 80
Filters packets by port (HTTP in this case).
http
Filters for HTTP traffic.
dns
Filters DNS traffic, which is useful to monitor domain name resolution.
tcp.flags.syn == 1 && tcp.flags.ack == 0
Filters SYN packets (used in TCP handshakes), useful for detecting scanning or connection attempts.
icmp
Filters ICMP packets (used for Ping), which can be useful for reconnaissance or network issues.
http.request.method == "POST"
Filters for HTTP POST requests. In the case that POST requests are sent over unencrypted HTTP, it may be the case that passwords or other sensitive information is contained within.
tcp.stream eq 53
Filters for a specific TCP stream. Helps track a conversation between two hosts.
eth.addr == 00:11:22:33:44:55
Filters packets from/to a specific MAC address.
ip.src == 192.168.24.3 && ip.dst == 56.48.210.3
Filters traffic between two specific IP addresses. Helps track communication between specific hosts.
For example, in the image below we are filtering for unencrypted HTTP traffic.
In Wireshark, it's possible to locate packets that contain specific bytes or strings. One way to do this is by using a display filter such as http contains "passw". Alternatively, you can navigate to Edit > Find Packet and enter the desired search query manually. For example, you might search for packets containing the string "passw":
It's worth familiarizing yourself with the syntax of Wireshark's filtering engine, especially if you ever need to perform network traffic analysis.
Pcredz
Pcredz is a tool that can be used to extract credentials from live traffic or network packet captures. Specifically, it supports extracting the following information:
Credit card numbers
POP credentials
SMTP credentials
IMAP credentials
SNMP community strings
FTP credentials
Credentials from HTTP NTLM/Basic headers, as well as HTTP Forms
NTLMv1/v2 hashes from various traffic including DCE-RPC, SMBv1/2, LDAP, MSSQL, and HTTP
Kerberos (AS-REQ Pre-Auth etype 23) hashes
In order to run Pcredz, one may either clone the repository and install all dependencies, or use the provided Docker container detailed in the Install portion of the README file.
The following command can be used to run Pcredz against a packet capture file:
Lab - Questions
Download the attached credential-hunting-in-network-traffic and extract the demo.pcapng file, then use Wireshark or PCredz to answer the following questions.
The packet capture contains cleartext credit card information. What is the number that was transmitted?
What is the SNMPv2 community string that was used?
Git clone and install Pcredz
What is the password of the user who logged into FTP?
What file did the user download over FTP?
Credential Hunting in Network Shares - Windows
Common credential patterns
Before diving into specialized tools, it's important to understand the types of patterns and file formats that often reveal sensitive information. This was covered in earlier sections, so we won't repeat it in detail here. But as a quick reminder, here are some general tips:
Look for keywords within files such as
passw,user,token,key, andsecret.Search for files with extensions commonly associated with stored credentials, such as
.ini,.cfg,.env,.xlsx,.ps1, and.bat.Watch for files with "interesting" names that include terms like
config,user,passw,cred, orinitial.If you're trying to locate credentials within the
INLANEFREIGHT.LOCALdomain, it may be helpful to search for files containing the stringINLANEFREIGHT\.Keywords should be localized based on the target; if you are attacking a German company, it's more likely they will reference a
"Benutzer"than a"User".Pay attention to the shares you are looking at, and be strategic. If you scan ten shares with thousands of files each, it's going to take a signifcant amount of time. Shares used by
IT employeesmight be a more valuable target than those used for company photos.
With all of this in mind, you may want to begin with basic command-line searches (e.g., Get-ChildItem -Recurse -Include *.ext \\Server\Share | Select-String -Pattern ...) before scaling up to more advanced tools. Let's take a look at how we can use MANSPIDER, Snaffler, SnafflePy, and NetExec to automate and enhance this credential hunting process.
Snaffler
The first tool we will cover is Snaffler. This is a C# program that, when run on a domain-joined machine, automatically identifies accessible network shares and searches for interesting files. The README file in the Github repository describes the numerous configuration options in great detail, however a basic search can be carried out like so:
All of the tools covered in this section output a large amount of information. While they assist with automation, a fair amount of manual review is typically required, as many matches may turn out to be "false positives". Two useful parameters that can help refine Snaffler's search process are:
-uretrieves a list of users from Active Directory and searches for references to them in files-iand-nallow you to specify which shares should be included in the search
PowerHuntShares
Another tool that can be used is PowerHuntShares, a PowerShell script that doesn't necessarily need to be run on a domain-joined machine. One of its most useful features is that it generates an HTML report upon completion, providing an easy-to-use UI for reviewing the results:
We can run a basic scan using PowerHuntShares like so:
Credential Hunting in Network Shares - Linux
MANSPIDER
If we donโt have access to a domain-joined computer, or simply prefer to search for files remotely, tools like MANSPIDER allow us to scan SMB shares from Linux. It's best to run MANSPIDER using the official Docker container to avoid dependency issues. Like the other tools, MANSPIDER offers many parameters that can be configured to fine-tune the search. A basic scan for files containing the string passw can be run as follows:
NetExec
In addition to its many other uses, NetExec can also be used to search through network shares using the --spider option. This functionality is described in great detail on the official wiki. A basic scan of network shares for files containing the string "passw" can be run like so:
Lab - Questions
Use the credentials mendres:Inlanefreight2025! to connect to the target either by RDP or WinRM, then use the tools and techniques taught in this section to answer the questions below. For your convenience, Snaffler and PowerHuntShares can be found in C:\Users\Public.
One of the shares mendres has access to contains valid credentials of another domain user. What is their password?
Fristly, i will connect via rdp:
As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?
With it new credential, will be to connecto at it users via RDP
Now, search by "Administrator" using Powershell
Last updated