Last active
June 2, 2025 03:41
-
-
Save r4ulcl/f3470f097d1cd21dbc5a238883e79fb2 to your computer and use it in GitHub Desktop.
Revisions
-
r4ulcl revised this gist
Jul 6, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ #!/bin/bash #author : Raul Calvo Laorden (me@r4ulcl.com) #description : Script to get WPA-EAP Identities, EAP certs, HTTP passwords, Handshakes, DNS queries, NBTNS queries and LLMNR queries #date : 2021-06-24 #usage : bash pcapFilter.sh -f <pcap/folder> [options] -
Feb 28, 2024 . 1 changed file with 14 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -82,21 +82,31 @@ filter () { # https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711 if [ ! -z "$CERT" ] ; then tmpbase=$(basename $FILE) mkdir /tmp/certs/ tshark -r $FILE \ -Y "ssl.handshake.certificate and eapol" \ -T fields -e "tls.handshake.certificate" -e "wlan.sa" -e "wlan.da" | while IFS= read -r line; do CERT=`echo $line | awk '{print $1}'` SA=`echo $line | awk '{print $2}'` DA=`echo $line | awk '{print $3}'` FILETMP=$(mktemp $tmpbase-$SA-$DA.cert.XXXX.der) echo -e "\n\n${green}Certificate from $SA to $DA ${reset}" echo -e "${green}Saved certificate in the file /tmp/certs/$FILETMP ${reset}" echo $CERT | \ sed "s/://g" | \ xxd -ps -r | \ tee /tmp/certs/$FILETMP | \ openssl x509 -inform der -text; rm $FILETMP done echo -e "\n\n${green}All certs saved in the /tmp/certs/ directory${reset}" fi } -
Feb 26, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -89,7 +89,7 @@ filter () { BSSID=`echo $line | awk '{print $2}'` MAC=`echo $line | awk '{print $3}'` echo -e "\n\n${green}Certificate from $BSSID to $MAC ${reset}" echo $CERT | \ sed "s/://g" | \ -
Feb 26, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -89,7 +89,7 @@ filter () { BSSID=`echo $line | awk '{print $2}'` MAC=`echo $line | awk '{print $3}'` echo "${green}Certificate from $BSSID to $MAC ${reset}" echo $CERT | \ sed "s/://g" | \ -
Feb 26, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -89,7 +89,7 @@ filter () { BSSID=`echo $line | awk '{print $2}'` MAC=`echo $line | awk '{print $3}'` echo "${green}Certificate from BSSID: $BSSID to MAC $MAC ${reset}" echo $CERT | \ sed "s/://g" | \ -
Feb 26, 2024 . 1 changed file with 9 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -82,10 +82,16 @@ filter () { # https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711 if [ ! -z "$CERT" ] ; then tmpbase=$(basename $FILE) tshark -r $FILE \ -Y "ssl.handshake.certificate and eapol" \ -T fields -e "tls.handshake.certificate" -e "wlan.sa" -e "wlan.da" | while IFS= read -r line; do CERT=`echo $line | awk '{print $1}'` BSSID=`echo $line | awk '{print $2}'` MAC=`echo $line | awk '{print $3}'` echo "Certificate from BSSID: $BSSID to MAC $MAC" echo $CERT | \ sed "s/://g" | \ xxd -ps -r | \ tee $(mktemp $tmpbase.cert.XXXX.der) | \ @@ -161,4 +167,3 @@ fi # # TODO #- Passwords: basic auth, FTP, TFTP, SMB, SMB2, SMTP, POP3, IMAP -
Oct 18, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -84,7 +84,7 @@ filter () { tmpbase=$(basename $FILE) for x in $(tshark -r $FILE \ -Y "ssl.handshake.certificate and eapol" \ -T fields -e "tls.handshake.certificate"); do echo $x | \ sed "s/://g" | \ xxd -ps -r | \ -
Jul 5, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -71,12 +71,12 @@ filter () { if [ ! -z "$NBTNS" ] ; then echo -e "\n\tGet NBTNS querys in file to responder\n" tshark -nr $FILE -Y "nbns" -T fields -e ip.src -e nbns.name fi if [ ! -z "$LLMNR" ] ; then echo -e "\n\tGet LLMNR querys in file to responder\n" tshark -nr $FILE -Y "llmnr" -T fields -e ip.src -e dns.qry.name fi # https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711 -
Jun 25, 2021 . 1 changed file with 8 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,12 +1,19 @@ #!/bin/bash #author : Raul Calvo Laorden ([email protected]) #description : Script to get WPA-EAP Identities, EAP certs, HTTP passwords, Handshakes, DNS queries, NBTNS queries and LLMNR queries #date : 2021-06-24 #usage : bash pcapFilter.sh -f <pcap/folder> [options] #----------------------------------------------------------------------------------------------------------- red=`tput setaf 1` green=`tput setaf 2` reset=`tput sgr0` #echo "${red}red text ${green}green text${reset}" help () { echo "$0 -f <pcap/folder> [OPTION] -f <.pcap>: Read pcap or file of .caps -h : help -
Jun 25, 2021 . No changes.There are no files selected for viewing
-
Jun 25, 2021 . 1 changed file with 95 additions and 67 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,35 +1,102 @@ #!/bin/bash red=`tput setaf 1` green=`tput setaf 2` reset=`tput sgr0` #echo "${red}red text ${green}green text${reset}" help () { echo "$0 -f <pcap> [OPTION] -f <.pcap>: Read pcap or file of .caps -h : help OPTIONS: -A : all -P : Get HTTP POST passwords (HTTP) -I : Filter WPA-EAP Identity -C : Export EAP certs -H : Get Handshakes 1 and 2 -D : Get DNS querys -R : Responder vulnerable protocols (NBT-NS + LLMNR) -N : Get NBT-NS querys -L : Get LLMNR querys " } filter () { echo -e "\n${green}FILE: $FILE${reset}" if [ ! -z "$ALL" ] ; then PASSWORDS=true IDENTITY=true HANDSHAKES=true DNS=true NBTNS=true LLMNR=true CERT=true fi if [ ! -z "$PASSWORDS" ] ; then echo -e "\n\tGet POST passwords\n" tshark -r $FILE -Y 'http.request.method == POST and (lower(http.file_data) contains "pass" or lower(http.request.line) contains "pass" or tcp contains "login")' -T fields -e http.file_data -e http.request.full_uri # basic auth? fi if [ ! -z "$IDENTITY" ] ; then echo -e "\n\tGet WPA-EAP Identities\n" echo -e 'DESTINATION\t\tSOURCE\t\t\tIDENTITY' tshark -nr $FILE -Y "eap.type == 1 && eap.code == 2" -T fields -e wlan.da -e wlan.sa -e eap.identity 2> /tmp/error | sort -u cat /tmp/error fi if [ ! -z "$HANDSHAKES" ] ; then echo -e "\n\tGet Handshakes in pcap\n" tshark -nr $FILE -Y "wlan_rsna_eapol.keydes.msgnr == 1 or wlan_rsna_eapol.keydes.msgnr == 2" fi if [ ! -z "$DNS" ] ; then echo -e "\n\tGet DNS querys\n" tshark -nr $FILE -Y "dns.flags == 0x0100" -T fields -e ip.src -e dns.qry.name fi if [ ! -z "$NBTNS" ] ; then echo -e "\n\tGet NBTNS querys in file to responder\n" tshark -nr $FILE -Y "NBT-NS" -T fields -e ip.src -e nbns.name fi if [ ! -z "$LLMNR" ] ; then echo -e "\n\tGet LLMNR querys in file to responder\n" tshark -nr $FILE -Y "LLMNR" -T fields -e ip.src -e dns.qry.name fi # https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711 if [ ! -z "$CERT" ] ; then tmpbase=$(basename $FILE) for x in $(tshark -r $FILE \ -Y "ssl.handshake.certificate and eapol" \ -T fields -e "ssl.handshake.certificate"); do echo $x | \ sed "s/://g" | \ xxd -ps -r | \ tee $(mktemp $tmpbase.cert.XXXX.der) | \ openssl x509 -inform der -text; done fi } if [ ! -x $(which tshark) ]; then echo "${red}tshark not installed${reset}" exit 0 fi while getopts hf:APIHDRNLC flag do case "${flag}" in h) HELP=true;; f) INPUT=${OPTARG};; A) ALL=true;; P) PASSWORDS=true;; I) IDENTITY=true;; @@ -48,8 +115,8 @@ then exit 0 fi if [ -z "$INPUT" ] ; then echo "File or folder needed" echo help exit 1 @@ -68,62 +135,23 @@ if [ "$#" -lt 3 ]; then exit 2 fi #Check if INPUT is a folder if [[ -d "$INPUT" ]] then for F in $INPUT/*cap ; do if [ -f "$F" ] ; then FILE=$F filter else echo "${red}Warning: Some problem with \"$F\"${reset}" fi done else FILE=$INPUT filter fi # # TODO #- Passwords: basic auth, FTP, TFTP, SMB, SMB2, SMTP, POP3, IMAP -
Jun 25, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,7 +25,7 @@ if [ ! -x $(which tshark) ]; then exit 0 fi while getopts hf:APIHDRNLC flag do case "${flag}" in h) HELP=true;; @@ -37,7 +37,7 @@ do D) DNS=true;; R) NBTNS=true;LLMNR=true;; N) NBTNS=true;; L) LLMNR=true;; C) CERT=true;; esac done -
Jun 25, 2021 . 1 changed file with 32 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,6 +10,7 @@ help () { -A : all -P : Get HTTP POST passwords (HTTP) -I : Filter WPA-EAP Identity -C : Export EAP certs -H : Get Handshakes 1 and 2 -D : Get DNS querys -R : Responder vulnerable protocols (NBT-NS + LLMNR) @@ -19,7 +20,12 @@ help () { } if [ ! -x $(which tshark) ]; then echo "tshark not installed" exit 0 fi while getopts hf:APIHDRNKC flag do case "${flag}" in h) HELP=true;; @@ -32,6 +38,7 @@ do R) NBTNS=true;LLMNR=true;; N) NBTNS=true;; K) LLMNR=true;; C) CERT=true;; esac done @@ -49,19 +56,26 @@ if [ -z "$FILE" ] ; then fi if [ -z "$ALL" ] && [ -z "$PASSWORDS" ] && [ -z "$IDENTITY" ] && [ -z "$HANDSHAKES" ] && [ -z "$DNS" ] && [ -z "$NBTNS" ] && [ -z "$LLMNR" ] && [ -z "$CERT" ]; then echo "Argument needed" help exit 2 fi if [ "$#" -lt 3 ]; then echo "Argument needed" help exit 2 fi if [ ! -z "$ALL" ] ; then PASSWORDS=true IDENTITY=true HANDSHAKES=true DNS=true NBTNS=true LLMNR=true CERT=true fi if [ ! -z "$PASSWORDS" ] ; then @@ -89,15 +103,27 @@ fi if [ ! -z "$NBTNS" ] ; then echo -e "\n\tGet NBTNS querys in file to responder\n" tshark -nr $FILE -Y "NBT-NS" -T fields -e ip.src -e nbns.name fi if [ ! -z "$LLMNR" ] ; then echo -e "\n\tGet LLMNR querys in file to responder\n" tshark -nr $FILE -Y "LLMNR" -T fields -e ip.src -e dns.qry.name fi # https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711 if [ ! -z "$CERT" ] ; then tmpbase=$(basename $2) for x in $(tshark -r $FILE \ -Y "ssl.handshake.certificate and eapol" \ -T fields -e "ssl.handshake.certificate"); do echo $x | \ sed "s/://g" | \ xxd -ps -r | \ tee $(mktemp $tmpbase.cert.XXXX.der) | \ openssl x509 -inform der -text; done fi # # TODO #- Passwords: basic auth, FTP, TFTP, SMB, SMB2, SMTP, POP3, IMAP -
Jun 24, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -89,12 +89,12 @@ fi if [ ! -z "$NBTNS" ] ; then echo -e "\n\tGet NBTNS querys in file to responder\n" tshark -nr $FILE -Y "nbns" -T fields -e ip.src -e nbns.name fi if [ ! -z "$LLMNR" ] ; then echo -e "\n\tGet LLMNR querys in file to responder\n" tshark -nr $FILE -Y "llmnr" -T fields -e ip.src -e dns.qry.name fi -
Jun 21, 2021 . No changes.There are no files selected for viewing
-
Jun 21, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,103 @@ #!/bin/bash help () { echo "$0 -f <pcap> [OPTION] -f <pcap>: Read pcap -h : help OPTIONS: -A : all -P : Get HTTP POST passwords (HTTP) -I : Filter WPA-EAP Identity -H : Get Handshakes 1 and 2 -D : Get DNS querys -R : Responder vulnerable protocols (NBT-NS + LLMNR) -N : Get NBT-NS querys -L : Get LLMNR querys " } while getopts hf:APIHDRNK flag do case "${flag}" in h) HELP=true;; f) FILE=${OPTARG};; A) ALL=true;; P) PASSWORDS=true;; I) IDENTITY=true;; H) HANDSHAKES=true;; D) DNS=true;; R) NBTNS=true;LLMNR=true;; N) NBTNS=true;; K) LLMNR=true;; esac done if [ "$HELP" = true ] ; then help exit 0 fi if [ -z "$FILE" ] ; then echo "File needed" echo help exit 1 fi if [ -z "$ALL" ] && [ -z "$PASSWORDS" ] && [ -z "$IDENTITY" ] && [ -z "$HANDSHAKES" ] && [ -z "$DNS" ] && [ -z "$NBTNS" ] && [ -z "$LLMNR" ] ; then echo "Argument needed" help exit 2 fi if [ ! -z "$ALL" ] ; then PASSWORDS=true IDENTITY=true HANDSHAKES=true DNS=true NBTNS=true LLMNR=true fi if [ ! -z "$PASSWORDS" ] ; then echo -e "\n\tGet POST passwords\n" tshark -r $FILE -Y 'http.request.method == POST and (lower(http.file_data) contains "pass" or lower(http.request.line) contains "pass" or tcp contains "login")' -T fields -e http.file_data -e http.request.full_uri # basic auth? fi if [ ! -z "$IDENTITY" ] ; then echo -e "\n\tGet WPA-EAP Identities\n" echo -e 'DESTINATION\t\tSOURCE\t\t\tIDENTITY' tshark -nr $FILE -Y "eap.type == 1 && eap.code == 2" -T fields -e wlan.da -e wlan.sa -e eap.identity 2> /tmp/error | sort -u cat /tmp/error fi if [ ! -z "$HANDSHAKES" ] ; then echo -e "\n\tGet Handshakes in pcap\n" tshark -nr $FILE -Y "wlan_rsna_eapol.keydes.msgnr == 1 or wlan_rsna_eapol.keydes.msgnr == 2" fi if [ ! -z "$DNS" ] ; then echo -e "\n\tGet DNS querys\n" tshark -nr $FILE -Y "dns.flags == 0x0100" -T fields -e ip.src -e dns.qry.name fi if [ ! -z "$NBTNS" ] ; then echo -e "\n\tGet NBTNS querys in file to responder\n" tshark -nr $FILE -Y "NBT-NS" -T fields -e ip.src -e nbns.name fi if [ ! -z "$LLMNR" ] ; then echo -e "\n\tGet LLMNR querys in file to responder\n" tshark -nr $FILE -Y "LLMNR" -T fields -e ip.src -e dns.qry.name fi # # TODO #- Passwords: basic auth, FTP, TFTP, SMB, SMB2, SMTP, POP3, IMAP