README
¶
Credential Harvesters
Implemented Harvesters
✅ Basic Auth
- FTP - plaintext credentials (port 21)
- Telnet - plaintext credentials (port 23)
- SMTP - Auth Plain, Auth Login, CRAM-MD5 (ports 25, 465, 587)
- IMAP - Login, Authenticate Plain, CRAM-MD5 (port 143)
- POP3 - USER/PASS, Auth Plain, Auth Login (ports 110, 995)
✅ HTTP Authentication
- HTTP Basic Auth - base64 decoded credentials
- HTTP Digest (Enhanced) - Full parameter extraction for Hashcat mode 11400
- Extracts: username, realm, nonce, uri, qop, nc, cnonce, response, method
- Format:
username:realm:nonce:uri:nc:cnonce:qop:response
- HTTP NTLM - base64-encoded NTLMSSP in HTTP Authorization headers
- Scans entire session for Challenge and Response
- Integrates with NTLMSSP harvester
✅ NTLMSSP
- File:
ntlmssp.go - Protocols: SMB, HTTP, IMAP, SMTP, LDAP
- Supports: NTLMv1 and NTLMv2
- Hashcat Modes:
- 5500 (NTLMv1):
username::domain:LM:NT:challenge - 5600 (NTLMv2):
username::domain:challenge:NT:blob
- 5500 (NTLMv1):
- Features:
- Session-based state machine (Challenge → Response)
- Extracts: username, domain, workstation, challenge, LM hash, NT hash
- Auto-detects NTLMv1 vs NTLMv2
- UTF-16LE decoding for strings
✅ Kerberos AS-REQ
- File:
kerberos_asreq.go - Protocol: Kerberos v5 (port 88)
- Supports: etype 23 (RC4-HMAC-MD5)
- Hashcat Mode: 7500
- Format:
$krb5pa$23$user$realm$$hash - Features:
- Extracts pre-authentication hashes
- Hash byte order switching (as per Kerberos spec)
- Works with UDP and TCP (with 4-byte length prefix)
✅ Database Credentials
- PostgreSQL (port 5432)
- Plaintext authentication (user/password)
- MD5 challenge-response (Hashcat mode 11100)
- Database name extraction
- MySQL (port 3306)
- Native Password challenge-response (Hashcat mode 11200)
- Server greeting and client auth parsing
- Database name extraction
- MongoDB (port 27017)
- SCRAM-SHA-1 and SCRAM-SHA-256
- SASL message parsing
- Salt, iterations, and proof extraction
- Redis (port 6379)
- Simple AUTH command
- RESP protocol format
- Redis 6+ ACL authentication
✅ Directory Services
- LDAP (ports 389, 636)
- Simple Bind authentication (plaintext)
- ASN.1 BER/DER parsing
- Distinguished Name (DN) extraction
- Username extraction from CN/UID
✅ Network Management
- SNMP (ports 161, 162)
- v1 and v2c community strings
- ASN.1 structure parsing
- Printable ASCII validation
✅ Remote Desktop
- VNC (ports 5900-5902)
- DES challenge-response (Hashcat mode 20200)
- Apple Remote Desktop (ARD) detection
- VNC MS Logon II (NTLM integration)
- Entropy checking for challenge/response
- TeamViewer (port 5938)
- Remote desktop session detection
- Authentication event tracking (AUTH_CHALLENGE, AUTH_RESPONSE, AUTH_RESULT)
- Session ID and connection monitoring
- Supports protocol versions 1.x and 2.x
✅ Network Discovery
- mDNS (port 5353)
- Multicast DNS hostname discovery
- IP address to hostname mappings
- Service discovery (SRV, TXT records)
- Works with Bonjour/Avahi
- NBNS (port 137)
- NetBIOS Name Service
- Windows computer name discovery
- Workstation, Domain Controller, File Server identification
- Node status response parsing
- UPnP (port 1900)
- Universal Plug and Play device discovery
- Router, media server, IoT device identification
- SSDP M-SEARCH and NOTIFY parsing
- Device location and service type extraction
- WSD (port 3702)
- Web Services Discovery for Windows
- SOAP/XML-based device discovery
- Probe and ProbeMatch detection
- Device type and address extraction
⚠️ Optional (Disabled by Default)
- Credit Card Detection
- Luhn algorithm validation
- Card type identification (Visa, MasterCard, Amex, Discover, JCB, Diners)
- Context extraction
- NOTE: Can produce false positives
TODO: Requires ASN.1 Parsing
⏳ Kerberos AS-REP
- Hashcat Modes: 18200 (etype 23), 19600 (etype 17), 19700 (etype 18)
- Complexity: High - requires ASN.1 DER/BER decoder
- Use Case: AS-REP roasting
⏳ Kerberos TGS-REP
- Hashcat Modes: 13100 (etype 23), 19600 (etype 17), 19700 (etype 18)
- Complexity: High - requires ASN.1 DER/BER decoder
- Use Case: Kerberoasting service accounts
Test Data
Location: testdata/
- 13 PCAP files from BruteShark project
- Covers: NTLM, Kerberos, HTTP Digest, HTTP NTLM
- All files verified readable
Usage
Harvesters run automatically during TCP session analysis. They are invoked by port mapping or by trying all harvesters on unknown ports.
Port Mapping
- 21: FTP
- 23: Telnet
- 25, 465, 587: SMTP
- 80, 8080: HTTP
- 88: Kerberos
- 110, 995: POP3
- 137: NBNS
- 143: IMAP
- 161, 162: SNMP
- 389, 636: LDAP
- 445: SMB/NTLMSSP
- 1900: UPnP/SSDP
- 3306: MySQL
- 3702: WSD
- 5353: mDNS
- 5432: PostgreSQL
- 5900-5909: VNC
- 5938: TeamViewer
- 6379: Redis
- 27017: MongoDB
Output Format
Credentials are stored in Secret.ncap.gz with:
- Timestamp
- Service (protocol name)
- Flow (connection identifier)
- User
- Password (plaintext or Hashcat format for hashes)
- Notes (additional metadata)
Building
cd decoder/stream/credentials
go build
go test
Testing
# Run all tests
go test -v
# Run specific test
go test -v -run TestNTLMSSP
# Check test files
go test -v -run TestAllPCAPFilesExist
Implementation Notes
NTLMSSP
- Searches for signature:
NTLMSSP\x00 - Challenge message type: 0x02
- Auth message type: 0x03
- Fields encoded as [length:2][maxlen:2][offset:4]
- Strings are UTF-16LE encoded
Kerberos AS-REQ
- AS-REQ message type: 0x0a
- RC4 encryption type: 0x17
- PA-DATA signatures:
0xa2 0x36 0x04 0x34or0xa2 0x35 0x04 0x33 - Hash requires byte order switching (last 36 bytes, then first 16 bytes)
HTTP Digest
- Parses Authorization header
- Splits comma-separated key=value pairs
- Strips quotes from values
- Requires: username, response (minimum)
Future Enhancements
- UDP Packet Harvesting: Direct UDP packet analysis for Kerberos (currently only works on TCP)
- ASN.1 Parsing: Implement AS-REP and TGS-REP harvesters
- Hashcat Export: Dedicated export command for hash files
- WebUI Integration: Display hash-specific fields in credentials page
- Additional Protocols: LDAP, RDP, etc.
Documentation
¶
Index ¶
- Constants
- Variables
- func InitBruteforceDetector(config *BruteforceConfig)
- func InitializeHarvesters(config *HarvestersConfigFile) error
- func ResetSecretStore()
- func RunHarvesters(banner []byte, transport gopacket.Flow, ident string, firstPacket time.Time, ...)
- func SaveHarvestersConfig(path string, config *HarvestersConfigFile) error
- func WriteSecret(creds *types.Secret)
- type BruteforceAlert
- type BruteforceConfig
- type BruteforceDetector
- func (d *BruteforceDetector) GetAlerts() []BruteforceAlert
- func (d *BruteforceDetector) GetStats() map[string]any
- func (d *BruteforceDetector) RecordFailure(sourceIP, targetIP, service, username string, ts time.Time)
- func (d *BruteforceDetector) RecordSuccess(sourceIP, targetIP, service, username string, ts time.Time)
- func (d *BruteforceDetector) SetAlertCallback(cb func(BruteforceAlert))
- func (d *BruteforceDetector) Stop()
- type CustomHarvesterConfig
- type Harvester
- type HarvesterConfig
- type HarvesterInfo
- type HarvestersConfigFile
Constants ¶
const ( EtypeAES128CTS = 17 // AES128-CTS-HMAC-SHA1-96 EtypeAES256CTS = 18 // AES256-CTS-HMAC-SHA1-96 EtypeRC4HMAC = 23 // RC4-HMAC )
Kerberos encryption type constants
const (
// DecoderName is the name for the credentials decoder
DecoderName = "Secret"
)
Variables ¶
var Decoder = &decoder.AbstractDecoder{ Name: DecoderName, Description: "Secrets to authenticate to a service, like a username and password combination, or a token, api key, etc.", Type: types.Type_NC_Secret, PostInit: func(d *decoder.AbstractDecoder) (err error) { useHarvesters = true credLog, _, err = logging.InitZapLogger( decoderconfig.Instance.Out, "credentials", decoderconfig.Instance.Debug, ) if err != nil { return err } // Load harvesters configuration var config *HarvestersConfigFile if decoderconfig.Instance.HarvestersConfigPath != "" { config, err = LoadHarvestersConfig(decoderconfig.Instance.HarvestersConfigPath) if err != nil { log.Printf("Failed to load harvesters config from %s: %v. Using default configuration.\n", decoderconfig.Instance.HarvestersConfigPath, err) config = nil } } if err := InitializeHarvesters(config); err != nil { return err } if decoderconfig.Instance.CustomRegex != "" { r, errCompile := regexp.Compile(decoderconfig.Instance.CustomRegex) if errCompile != nil { return errCompile } customRegexHarvester := Harvester{ Name: "Custom Regex", Description: "Custom regex pattern: " + decoderconfig.Instance.CustomRegex, HarvesterFunc: func(data []byte, ident string, ts time.Time) *types.Secret { matches := r.FindSubmatch(data) if len(matches) > 1 { var notes strings.Builder for _, m := range matches { notes.WriteString(" " + string(m) + " ") } return &types.Secret{ Notes: notes.String(), } } return nil }, } tcpConnectionHarvesters = append(tcpConnectionHarvesters, customRegexHarvester) } return nil }, DeInit: func(sd *decoder.AbstractDecoder) error { return credLog.Sync() }, }
Decoder for protocol analysis and writing audit records to disk.
Functions ¶
func InitBruteforceDetector ¶
func InitBruteforceDetector(config *BruteforceConfig)
InitBruteforceDetector initializes the global bruteforce detector with custom config This should be called before any calls to GetBruteforceDetector for proper configuration
func InitializeHarvesters ¶
func InitializeHarvesters(config *HarvestersConfigFile) error
InitializeHarvesters sets up the harvesters based on the provided configuration
func ResetSecretStore ¶
func ResetSecretStore()
ResetSecretStore clears the credentials deduplication store This should be called when resetting state between processing different files
func RunHarvesters ¶
func RunHarvesters(banner []byte, transport gopacket.Flow, ident string, firstPacket time.Time, communityID string)
RunHarvesters will use the service probes to determine the service type based on the provided banner. The banner parameter contains at most HarvesterBannerSize bytes from the stream conversation, which is pre-truncated to prevent performance issues when processing large data streams (e.g., file transfers, database dumps, video streaming, etc.). The communityID parameter is the Corelight Community ID v1 for the connection, calculated once at the stream level and available for all harvesters to use for cross-tool correlation.
func SaveHarvestersConfig ¶
func SaveHarvestersConfig(path string, config *HarvestersConfigFile) error
SaveHarvestersConfig saves harvester configuration to a YAML file
func WriteSecret ¶
WriteSecret is a util that should be used to write credential audit to disk it will deduplicate the audit records to avoid repeating information on disk.
Types ¶
type BruteforceAlert ¶
type BruteforceAlert struct {
Timestamp time.Time
SourceIP string
Service string
FailedAttempts int
TargetServers []string // Unique servers targeted
Duration time.Duration
FirstAttempt time.Time
LastAttempt time.Time
}
BruteforceAlert represents a detected bruteforce attack
func (*BruteforceAlert) String ¶
func (a *BruteforceAlert) String() string
String returns a human-readable description of the alert
type BruteforceConfig ¶
type BruteforceConfig struct {
// FailureThreshold is the number of failed attempts before alerting
FailureThreshold int `yaml:"failure_threshold"`
// MeasurementInterval is the time window for counting failures
MeasurementInterval time.Duration `yaml:"measurement_interval"`
// PerSourceTracking tracks failures per source IP
PerSourceTracking bool `yaml:"per_source_tracking"`
// PerServiceTracking tracks failures per service type
PerServiceTracking bool `yaml:"per_service_tracking"`
// Enabled controls whether bruteforce detection is active
Enabled bool `yaml:"enabled"`
}
BruteforceConfig holds configuration for bruteforce detection
func DefaultBruteforceConfig ¶
func DefaultBruteforceConfig() *BruteforceConfig
DefaultBruteforceConfig returns default bruteforce detection settings Similar to Zeek's FTP/SSH bruteforce detection defaults
type BruteforceDetector ¶
type BruteforceDetector struct {
// contains filtered or unexported fields
}
BruteforceDetector tracks failed authentication attempts and detects bruteforce attacks Similar to Zeek's SumStats-based approach
func GetBruteforceDetector ¶
func GetBruteforceDetector() *BruteforceDetector
GetBruteforceDetector returns the global bruteforce detector instance
func NewBruteforceDetector ¶
func NewBruteforceDetector(config *BruteforceConfig) *BruteforceDetector
NewBruteforceDetector creates a new bruteforce detection instance
func (*BruteforceDetector) GetAlerts ¶
func (d *BruteforceDetector) GetAlerts() []BruteforceAlert
GetAlerts returns all currently tracked alerts
func (*BruteforceDetector) GetStats ¶
func (d *BruteforceDetector) GetStats() map[string]any
GetStats returns statistics about the detector
func (*BruteforceDetector) RecordFailure ¶
func (d *BruteforceDetector) RecordFailure(sourceIP, targetIP, service, username string, ts time.Time)
RecordFailure records a failed authentication attempt This should be called whenever AuthSuccessSet is true and AuthSuccess is false
func (*BruteforceDetector) RecordSuccess ¶
func (d *BruteforceDetector) RecordSuccess(sourceIP, targetIP, service, username string, ts time.Time)
RecordSuccess records a successful authentication (can be used to track password guessers who succeeded)
func (*BruteforceDetector) SetAlertCallback ¶
func (d *BruteforceDetector) SetAlertCallback(cb func(BruteforceAlert))
SetAlertCallback sets the function to call when a bruteforce alert is generated
func (*BruteforceDetector) Stop ¶
func (d *BruteforceDetector) Stop()
Stop stops the bruteforce detector and cleans up resources
type CustomHarvesterConfig ¶
type CustomHarvesterConfig struct {
Name string `yaml:"name" json:"name"`
Description string `yaml:"description,omitempty" json:"description,omitempty"`
Enabled bool `yaml:"enabled" json:"enabled"`
Ports []int `yaml:"ports" json:"ports"`
Regex string `yaml:"regex" json:"regex"`
Parameters map[string]any `yaml:"parameters,omitempty" json:"parameters,omitempty"`
}
CustomHarvesterConfig represents configuration for a custom regex-based harvester
type HarvesterConfig ¶
type HarvesterConfig struct {
Name string `yaml:"name" json:"name"`
Description string `yaml:"description,omitempty" json:"description,omitempty"`
Enabled bool `yaml:"enabled" json:"enabled"`
Ports []int `yaml:"ports" json:"ports"`
Parameters map[string]any `yaml:"parameters,omitempty" json:"parameters,omitempty"`
}
HarvesterConfig represents the configuration for a single credential harvester
type HarvesterInfo ¶
HarvesterInfo contains metadata about a credential harvester for API responses
func GetHarvesters ¶
func GetHarvesters() []HarvesterInfo
GetHarvesters returns information about all registered credential harvesters including their names, descriptions, and associated port mappings
type HarvestersConfigFile ¶
type HarvestersConfigFile struct {
Harvesters []HarvesterConfig `yaml:"harvesters" json:"harvesters"`
CustomHarvesters []CustomHarvesterConfig `yaml:"custom_harvesters,omitempty" json:"custom_harvesters,omitempty"`
}
HarvestersConfigFile represents the entire harvesters configuration file structure
func GetDefaultHarvestersConfig ¶
func GetDefaultHarvestersConfig() *HarvestersConfigFile
GetDefaultHarvestersConfig returns the default harvester configuration
func GetHarvesterConfig ¶
func GetHarvesterConfig() *HarvestersConfigFile
GetHarvesterConfig returns the current harvester configuration
func LoadHarvestersConfig ¶
func LoadHarvestersConfig(path string) (*HarvestersConfigFile, error)
LoadHarvestersConfig loads harvester configuration from a YAML file
Source Files
¶
- bruteforce.go
- config.go
- creditcard.go
- ftp.go
- harvester.go
- http.go
- http_ntlm.go
- imap.go
- kerberos_asrep.go
- kerberos_asreq.go
- kerberos_common.go
- kerberos_tgsrep.go
- ldap.go
- mdns.go
- mongodb.go
- mqtt.go
- mysql.go
- nbns.go
- ntlmssp.go
- pop3.go
- postgres.go
- radius.go
- redis.go
- secret.go
- sip.go
- smtp.go
- snmp.go
- socks.go
- teamviewer.go
- telnet.go
- upnp.go
- vnc.go