> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-5/data-analysis/network-stream-analysis/trick-0376.md).

# Extract Plaintext Credentials from PCAP

***

Analyze network traffic captures (.pcap files) where protocols like FTP, Telnet, or HTTP (without TLS) are used, as they transmit credentials in plaintext. Using a tool like Wireshark, open the .pcap file. To narrow down the traffic, apply filters such as `tcp port 21` for FTP, `tcp port 23` for Telnet, or `tcp port 80` for HTTP. Identify packets belonging to a suspicious or relevant connection based on the filtered results. Right-click a packet from the stream and select `Follow` -> `TCP Stream`. This will reconstruct the conversation in a separate window. The content of the stream will be displayed, typically with data from the client shown in red and data from the server shown in blue. The stream content can be displayed in various formats, including ASCII, Hex Dump, or Raw. This window shows the raw plaintext data exchanged, which may include usernames and passwords. For example, following the TCP stream for FTP traffic might reveal the `USER` and `PASS` commands sent during the login process.

Alternatively, command-line tools can be used for automated analysis. Tshark, the command-line network protocol analyzer companion to Wireshark, can read packets from a saved capture file and filter them. For instance, to display data from common plaintext credential ports, you could use:

```bash
tshark -r capture.pcap -Y "tcp.port == 21 or tcp.port == 23 or tcp.port == 80" -O data
```

Another tool specifically designed to extract credentials from pcap files is PCredz. It can automate the process of identifying and extracting plaintext credentials for various protocols. To use PCredz, you typically clone the repository and install its requirements:

```bash
git clone https://github.com/nccgroup/pcredz && cd pcredz && pip install -r requirements.txt
```

Then, you can run it against a pcap file:

```bash
python pcredz.py -p your_capture_file.pcap
```

This command will process the specified pcap file and output any credentials it finds.
