PCredz extracts credentials and authentication tokens from network traffic (PCAP files or live capture).
Extract credentials from both IPv4 and IPv6 traffic:
- NTLM: NTLMv1/v2 hashes from HTTP, SMB, LDAP, MSSQL, DCE-RPC, and more
- Kerberos: AS-REQ Pre-Auth (etype 23) hashes
- HTTP: Basic authentication, form fields (passwords, API keys, tokens)
- FTP: USER/PASS commands
- IRC: NICK/USER/PASS authentication
- SMTP: AUTH PLAIN and AUTH LOGIN
- IMAP: LOGIN authentication
- POP3: USER/PASS commands
- LDAP: Simple Bind (plaintext passwords)
- SNMP: Community strings (v1/v2c)
- MSSQL: TDS protocol authentication
- Credit Cards: Card number extraction (optional)
- Hashcat compatible: All hashes formatted for direct use with hashcat
- NTLMv1:
-m 5500 - NTLMv2:
-m 5600 - Kerberos:
-m 7500
- NTLMv1:
- Organized logs: Separate files for each credential type in
logs/directory - Session log: Complete timeline in
CredentialDump-Session.log - Deduplication: Same credentials only logged once (unless
-vflag used)
- Ethernet (DLT_EN10MB)
- Linux Cooked Capture (DLT_LINUX_SLL)
- Raw IP (DLT_RAW)
- Automatic detection of link layer type
# Build the container
docker build -t pcredz .
# Run with current directory mounted
docker run --rm -v $(pwd):/data pcredz -f /data/capture.pcap
# For live capture (requires --net=host)
docker run --rm --net=host -v $(pwd):/data pcredz -i eth0 -vDebian/Ubuntu:
sudo apt-get install python3-pip libpcap-dev
pip3 install pcapy-ngFedora/RHEL:
sudo dnf install python3-pip libpcap-devel
pip3 install pcapy-ngArch Linux:
sudo pacman -S python-pip libpcap
pip3 install pcapy-ng# Parse a single PCAP file
./Pcredz -f capture.pcap
# Parse all PCAP files in a directory (recursive)
./Pcredz -d /path/to/pcap/directory/
# Live capture on an interface (requires root)
sudo ./Pcredz -i eth0
# Verbose mode (show duplicate credentials)
./Pcredz -f capture.pcap -v
# Custom output directory
./Pcredz -f capture.pcap -o /tmp/pcredz-output/Required (choose one):
-f FILE PCAP file to parse
-d DIR Directory to parse recursively
-i INTERFACE Interface for live capture
Optional:
-v Verbose mode (print duplicate credentials)
-t Print timestamps
-o DIR Output directory for logs (default: ./)
-c Disable credit card scanning
--disable PROTO Disable protocol (can be used multiple times)
Options: NTLM, HTTP, FTP, IRC, LDAP, SMTP, Kerberos, SNMP, MSSQL
--exclude-host IP Exclude host IP from capture (can be used multiple times)
-h Show help message
All credentials are saved to the logs/ directory:
logs/
├── NTLMv1.txt # NTLMv1 hashes (hashcat -m 5500)
├── NTLMv2.txt # NTLMv2 hashes (hashcat -m 5600)
├── MSKerb.txt # Kerberos hashes (hashcat -m 7500)
├── HTTP-Basic.txt # HTTP Basic auth credentials
├── HTTP-PasswordFields.txt # HTTP form fields and API keys
├── FTP-Plaintext.txt # FTP credentials
├── IRC-Plaintext.txt # IRC credentials
├── SMTP-Plaintext.txt # SMTP credentials
├── LDAP-Simple.txt # LDAP Simple Bind credentials
├── MSSQL-Plaintext.txt # MSSQL credentials
└── SNMPv1.txt # SNMP community strings
Plus a session log:
CredentialDump-Session.log # Complete session with timestamps
./Pcredz -f capture.pcap
# Output:
# 192.168.1.10:445 > 192.168.1.20:1024
# NTLMv2 complete hash is: admin::DOMAIN:1122334455667788:ABC123...
# Use with hashcat:
hashcat -m 5600 logs/NTLMv2.txt wordlist.txtsudo ./Pcredz -i eth0 -v
# Captures and displays credentials in real-time
# Press Ctrl+C to stop# Process all PCAPs in a directory tree
./Pcredz -d /forensics/network-captures/
# Parsing /forensics/network-captures/day1/morning.pcap...
# Parsing /forensics/network-captures/day1/afternoon.pcap...
# ...# Disable specific protocols (reduce noise)
./Pcredz -f capture.pcap --disable HTTP --disable SNMP
# Only capture NTLM hashes
./Pcredz -f capture.pcap --disable HTTP --disable FTP --disable IRC \
--disable LDAP --disable SMTP --disable Kerberos --disable SNMP --disable MSSQL
# Focus on cleartext credentials only
./Pcredz -f capture.pcap --disable NTLM --disable Kerberos# Exclude your own IP during live capture (common use case)
sudo ./Pcredz -i eth0 --exclude-host 192.168.1.50 -v
# Exclude multiple hosts
./Pcredz -f capture.pcap --exclude-host 192.168.1.100 --exclude-host 10.0.0.5
# Pentesting: capture target credentials, not your own
sudo ./Pcredz -i eth0 --exclude-host $(hostname -I | awk '{print $1}') -v- File I/O caching: Avoids redundant file reads (10-100x speedup)
- Regex pre-compilation: Compiled patterns cached (2-5x speedup)
- Smart deduplication: In-memory tracking of seen credentials
- Link layer detection: Auto-detects and caches offset (minimal overhead)
Typical performance on modern hardware:
- Small files (<10MB): <1 second
- Medium files (100MB): 5-10 seconds
- Large files (1GB+): 1-2 minutes
- Live capture: 5,000-10,000 packets/second
pip3 install pcapy-ng
# If that fails:
pip3 install --break-system-packages pcapy-ngLive capture requires root privileges:
sudo ./Pcredz -i eth0- Verify the PCAP contains the expected protocols (use Wireshark)
- Check that traffic isn't encrypted (HTTPS, SSH, etc.)
- Try verbose mode (
-v) to see all activity - Check the link layer type is supported
Found a bug or want to add a feature? Contributions welcome!
- Test your changes thoroughly
- Follow the existing code style
- Add examples for new features
- Update documentation
GNU General Public License v3.0
Laurent Gaffie
- Email: lgaffie@secorizon.com
- X/Twitter: @secorizon
- GitHub: lgandx/PCredz
