> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/credential-hunting-in-network/credential-hunting-in-network-traffic.md).

# Credential Hunting in Network Traffic

### Overview

Most modern applications use TLS, but legacy systems, misconfigured services, and test environments still expose plaintext protocols. When traffic is unencrypted, credentials pass over the wire in cleartext and can be captured passively.

***

### Plaintext vs Encrypted Protocols

| Unencrypted | Encrypted Counterpart    | Purpose                               |
| ----------- | ------------------------ | ------------------------------------- |
| HTTP        | HTTPS                    | Web pages and resources               |
| FTP         | FTPS / SFTP              | File transfer                         |
| SNMP        | SNMPv3 (with encryption) | Network device monitoring             |
| POP3        | POP3S                    | Email retrieval                       |
| IMAP        | IMAPS                    | Email access/management               |
| SMTP        | SMTPS                    | Email sending                         |
| LDAP        | LDAPS                    | Directory services / user credentials |
| RDP         | RDP with TLS             | Remote desktop (Windows)              |
| DNS         | DNS over HTTPS (DoH)     | Domain name resolution                |
| SMB         | SMB over TLS (SMB 3.0)   | File/printer sharing                  |
| VNC         | VNC with TLS/SSL         | Graphical remote control              |

> Focus on these during internal network assessments — legacy infrastructure and test environments frequently still run unencrypted versions.

***

### Wireshark

Wireshark is a packet analyzer pre-installed on most pentest distros. Works on both live captures and saved `.pcap`/`.pcapng` files.

#### Useful Display Filters

| Filter                                           | Purpose                                                   |
| ------------------------------------------------ | --------------------------------------------------------- |
| `ip.addr == 56.48.210.13`                        | All traffic to/from a specific IP                         |
| `tcp.port == 80`                                 | Traffic on a specific port                                |
| `http`                                           | All HTTP traffic                                          |
| `dns`                                            | All DNS traffic                                           |
| `tcp.flags.syn == 1 && tcp.flags.ack == 0`       | SYN packets — detect scanning/connection attempts         |
| `icmp`                                           | Ping traffic — recon/network issues                       |
| `http.request.method == "POST"`                  | HTTP POST requests — may contain credentials in cleartext |
| `tcp.stream eq 53`                               | Follow a specific TCP conversation                        |
| `eth.addr == 00:11:22:33:44:55`                  | Traffic from/to a specific MAC                            |
| `ip.src == 192.168.1.1 && ip.dst == 192.168.1.2` | Traffic between two specific hosts                        |

#### Searching for Credentials

**Method 1 — Display filter:**

```
http contains "passw"
```

**Method 2 — Manual search:**

```
Edit → Find Packet → search string "passw"
```

HTTP POST requests over unencrypted HTTP will contain form field data in plaintext — username and password fields are directly readable in the packet body.

***

### Pcredz

Automated credential extraction tool. Works against live traffic or saved capture files.

#### What It Extracts

* Credit card numbers
* FTP credentials
* POP / SMTP / IMAP credentials
* SNMP community strings
* HTTP Basic auth / NTLM headers
* HTTP form credentials
* NTLMv1/v2 hashes (DCE-RPC, SMBv1/2, LDAP, MSSQL, HTTP)
* Kerberos AS-REQ Pre-Auth hashes (etype 23)

#### Running Against a Capture File

```bash
./Pcredz -f demo.pcapng -t -v
```

| Flag | Meaning                            |
| ---- | ---------------------------------- |
| `-f` | Input pcap/pcapng file             |
| `-t` | Enable credit card number scanning |
| `-v` | Verbose output                     |

#### Example Output

```
Found SNMPv2 Community string: s3cr...
FTP User: le...
FTP Pass: qw...
```

#### Installation

Either clone the repo and install dependencies, or use the provided Docker container (see the README).

***

### Workflow

```
Gain network access / receive pcap file
        │
        ├── Wireshark
        │       ├── Filter: http, ftp, snmp, ldap
        │       ├── Filter: http.request.method == "POST"
        │       └── Search: Edit → Find Packet → "passw"
        │
        └── Pcredz
                └── ./Pcredz -f capture.pcapng -t -v
                        └── Auto-extracts: FTP, SNMP, HTTP forms,
                            NTLM hashes, Kerberos hashes
```

***

### Key Takeaways

* **HTTP POST** over plain HTTP is the most common credential exposure — form logins pass username/password in the request body unencrypted
* **SNMP community strings** act as passwords for network device access — often left at defaults (`public`, `private`) or weak values
* **FTP** sends credentials in cleartext by design — always worth capturing on internal networks
* **NTLMv2 hashes** captured from SMB/HTTP traffic can be cracked offline with hashcat (`-m 5600`) or relayed directly
* **Kerberos AS-REQ hashes** (etype 23) from captures can be cracked offline — same as Kerberoasting output


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/credential-hunting-in-network/credential-hunting-in-network-traffic.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
