Last active
June 2, 2025 03:41
-
-
Save r4ulcl/f3470f097d1cd21dbc5a238883e79fb2 to your computer and use it in GitHub Desktop.
Ttshark filter script to get WPA-EAP Identities, EAP certs, HTTP passwords, Handshakes, DNS queries, NBTNS queries and LLMNR queries. Reading a file or a folder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| help () { | |
| echo "$0 -f <pcap> [OPTION] | |
| -f <pcap>: Read pcap | |
| -h : help | |
| OPTIONS: | |
| -A : all | |
| -P : Get HTTP POST passwords (HTTP) | |
| -I : Filter WPA-EAP Identity | |
| -C : Export EAP certs | |
| -H : Get Handshakes 1 and 2 | |
| -D : Get DNS querys | |
| -R : Responder vulnerable protocols (NBT-NS + LLMNR) | |
| -N : Get NBT-NS querys | |
| -L : Get LLMNR querys | |
| " | |
| } | |
| if [ ! -x $(which tshark) ]; then | |
| echo "tshark not installed" | |
| exit 0 | |
| fi | |
| while getopts hf:APIHDRNLC flag | |
| do | |
| case "${flag}" in | |
| h) HELP=true;; | |
| f) FILE=${OPTARG};; | |
| A) ALL=true;; | |
| P) PASSWORDS=true;; | |
| I) IDENTITY=true;; | |
| H) HANDSHAKES=true;; | |
| D) DNS=true;; | |
| R) NBTNS=true;LLMNR=true;; | |
| N) NBTNS=true;; | |
| L) LLMNR=true;; | |
| C) CERT=true;; | |
| esac | |
| done | |
| if [ "$HELP" = true ] ; | |
| then | |
| help | |
| exit 0 | |
| fi | |
| if [ -z "$FILE" ] ; then | |
| echo "File needed" | |
| echo | |
| help | |
| exit 1 | |
| fi | |
| if [ -z "$ALL" ] && [ -z "$PASSWORDS" ] && [ -z "$IDENTITY" ] && [ -z "$HANDSHAKES" ] && [ -z "$DNS" ] && [ -z "$NBTNS" ] && [ -z "$LLMNR" ] && [ -z "$CERT" ]; then | |
| echo "Argument needed" | |
| help | |
| exit 2 | |
| fi | |
| if [ "$#" -lt 3 ]; then | |
| echo "Argument needed" | |
| help | |
| exit 2 | |
| fi | |
| if [ ! -z "$ALL" ] ; then | |
| PASSWORDS=true | |
| IDENTITY=true | |
| HANDSHAKES=true | |
| DNS=true | |
| NBTNS=true | |
| LLMNR=true | |
| CERT=true | |
| fi | |
| if [ ! -z "$PASSWORDS" ] ; then | |
| echo -e "\n\tGet POST passwords\n" | |
| tshark -r $FILE -Y 'http.request.method == POST and (lower(http.file_data) contains "pass" or lower(http.request.line) contains "pass" or tcp contains "login")' -T fields -e http.file_data -e http.request.full_uri | |
| # basic auth? | |
| fi | |
| if [ ! -z "$IDENTITY" ] ; then | |
| echo -e "\n\tGet WPA-EAP Identities\n" | |
| echo -e 'DESTINATION\t\tSOURCE\t\t\tIDENTITY' | |
| tshark -nr $FILE -Y "eap.type == 1 && eap.code == 2" -T fields -e wlan.da -e wlan.sa -e eap.identity 2> /tmp/error | sort -u | |
| cat /tmp/error | |
| fi | |
| if [ ! -z "$HANDSHAKES" ] ; then | |
| echo -e "\n\tGet Handshakes in pcap\n" | |
| tshark -nr $FILE -Y "wlan_rsna_eapol.keydes.msgnr == 1 or wlan_rsna_eapol.keydes.msgnr == 2" | |
| fi | |
| if [ ! -z "$DNS" ] ; then | |
| echo -e "\n\tGet DNS querys\n" | |
| tshark -nr $FILE -Y "dns.flags == 0x0100" -T fields -e ip.src -e dns.qry.name | |
| fi | |
| if [ ! -z "$NBTNS" ] ; then | |
| echo -e "\n\tGet NBTNS querys in file to responder\n" | |
| tshark -nr $FILE -Y "NBT-NS" -T fields -e ip.src -e nbns.name | |
| fi | |
| if [ ! -z "$LLMNR" ] ; then | |
| echo -e "\n\tGet LLMNR querys in file to responder\n" | |
| tshark -nr $FILE -Y "LLMNR" -T fields -e ip.src -e dns.qry.name | |
| fi | |
| # https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711 | |
| if [ ! -z "$CERT" ] ; then | |
| tmpbase=$(basename $2) | |
| for x in $(tshark -r $FILE \ | |
| -Y "ssl.handshake.certificate and eapol" \ | |
| -T fields -e "ssl.handshake.certificate"); do | |
| echo $x | \ | |
| sed "s/://g" | \ | |
| xxd -ps -r | \ | |
| tee $(mktemp $tmpbase.cert.XXXX.der) | \ | |
| openssl x509 -inform der -text; | |
| done | |
| fi | |
| # # TODO | |
| #- Passwords: basic auth, FTP, TFTP, SMB, SMB2, SMTP, POP3, IMAP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment