search

DanMcInerney / net-creds

Sniffs sensitive data from interface or pcap
GNU General Public License v3.0
1.65k stars 432 forks source link

Issues running on OS X #1

Closed frankea closed 9 years ago

frankea commented 9 years ago

After jumping through the usual hoops to get things running on an OS X machine, the final barrier that I've run into is the lack of /sbin/ip being installed on OS X. I can't seem to find a way to install it, so I'm wondering if there's a workaround. Traceback attached below:

Traceback (most recent call last):
  File "/Users/admin/Desktop/net-creds.py", line 971, in <module>
    main(parse_args())
  File "/Users/admin/Desktop/net-creds.py", line 961, in main
    conf.iface = iface_finder()
  File "/Users/admin/Desktop/net-creds.py", line 73, in iface_finder
    ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 1335, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory
frankea commented 9 years ago

Resolved with:

brew tap brona/iproute2mac
brew install iproute2mac

and then changing the script from /sbin/ip to /usr/local/bin/ip

DanMcInerney commented 9 years ago

Awesome, no way was I going to be able to figure that out. Any other steps necessary to get it working in OSX? I can add them as a note in the README.

frankea commented 9 years ago

Looks like there are some more steps needed. After this, I get a new error:

[*] Using interface: en0
Traceback (most recent call last):
  File "/Users/admin/Desktop/net-creds.py", line 975, in <module>
    main(parse_args())
  File "/Users/admin/Desktop/net-creds.py", line 971, in main
    sniff(iface=conf.iface, prn=pkt_parser, store=0)
  File "/Library/Python/2.7/site-packages/scapy/sendrecv.py", line 586, in sniff
    r = prn(p)
  File "/Users/admin/Desktop/net-creds.py", line 164, in pkt_parser
    src_ip_port = str(pkt[IP].src) + ':' + str(pkt[TCP].sport)
  File "/Library/Python/2.7/site-packages/scapy/packet.py", line 789, in __getitem__
    raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [IP] not found

I've been looking for an answer to it, but I can't seem to find one. I'm leaning towards it being an issue with iproute2mac as the author states "Provided functionality is limited and command output is not fully compatible with iproute2." (https://github.com/brona/iproute2mac) But maybe it's a scapy issue?

DanMcInerney commented 9 years ago

This is actually an error in scapy, I may've just fixed it by adding a check for the IP layer. Before it was checking for TCP + RAW layers but was calling the IP layer as well so I added a check for TCP + RAW + IP. Pull down the latest and see if that resolved the issue.

On Tue, Mar 3, 2015 at 5:32 PM, epocs notifications@github.com wrote:

Reopened #1 https://github.com/DanMcInerney/net-creds/issues/1.

— Reply to this email directly or view it on GitHub https://github.com/DanMcInerney/net-creds/issues/1#event-245665084.

frankea commented 9 years ago

That seems to have resolved the crash. The script is running and I see data populating, however I don't see any credentials being logged. Tried several websites (HTTP and HTTPS), and checked my e-mail accounts (three IMAPS). I did get a result when connecting via SMB to another server, but the password looks to be hashed.

Also, to clarify my previous posts, in order to use 

brew tap brona/iproute2mac
brew install iproute2mac

the end user must first install Homebrew (http://brew.sh). I'm going to go through the process again on my home machine and document the steps needed to get it running. I think I left a few assumptions in there.

DanMcInerney commented 9 years ago

It can't sniff HTTPS traffic, you'd have to use SSLStrip or serve a fake cert to read any IMAPS or HTTPS traffic since it's encrypted. SMB uses NETNTLM which is a challenge:response hash protocol rather than cleartext so you would have to crack that hash with hashcat.

frankea commented 9 years ago

That's kinda what I thought. Not an expert on that front. I've outlined the steps needed to get this running on OS X, with having Homebrew (http://brew.sh) install as a prerequisite (each line is a separate command):

sudo easy_install pip
sudo pip install scapy
sudo pip install pcapy
brew install libdnet --with-python
mkdir -p /Users/<username>/Library/Python/2.7/lib/python/site-packages
echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/<username>/Library/Python/2.7/lib/python/site-packages/homebrew.pth
sudo pip install pypcap
brew tap brona/iproute2mac
brew install iproute2mac

After all that, replace /sbin/ip with /usr/local/bin/ip in the script and you should be good to go.

DanMcInerney commented 9 years ago

Thank you very much!

misterjangles commented 9 years ago

I'm having this issue running net-creds.py on a macbook air with mavericks. I followed epocs instructions and here is the error I'm getting,

Traceback (most recent call last): File "net-creds.py", line 7, in from scapy.all import File "/Library/Python/2.7/site-packages/scapy/all.py", line 16, in from arch import File "/Library/Python/2.7/site-packages/scapy/arch/init.py", line 75, in from bsd import File "/Library/Python/2.7/site-packages/scapy/arch/bsd.py", line 12, in from unix import File "/Library/Python/2.7/site-packages/scapy/arch/unix.py", line 20, in from pcapdnet import * File "/Library/Python/2.7/site-packages/scapy/arch/pcapdnet.py", line 173, in import dnet ImportError: No module named dnet

Hope someone can help. Thanks