Issues running on OS X

[frankea]

After jumping through the usual hoops to get things running on an OS X machine, the final barrier that I've run into is the lack of /sbin/ip being installed on OS X. I can't seem to find a way to install it, so I'm wondering if there's a workaround. Traceback attached below:

Traceback (most recent call last):
  File "/Users/admin/Desktop/net-creds.py", line 971, in <module>
    main(parse_args())
  File "/Users/admin/Desktop/net-creds.py", line 961, in main
    conf.iface = iface_finder()
  File "/Users/admin/Desktop/net-creds.py", line 73, in iface_finder
    ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 1335, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

[frankea]

Resolved with:

brew tap brona/iproute2mac
brew install iproute2mac

and then changing the script from /sbin/ip to /usr/local/bin/ip

[DanMcInerney]

Awesome, no way was I going to be able to figure that out. Any other steps necessary to get it working in OSX? I can add them as a note in the README.

[frankea]

Looks like there are some more steps needed. After this, I get a new error:

[*] Using interface: en0
Traceback (most recent call last):
  File "/Users/admin/Desktop/net-creds.py", line 975, in <module>
    main(parse_args())
  File "/Users/admin/Desktop/net-creds.py", line 971, in main
    sniff(iface=conf.iface, prn=pkt_parser, store=0)
  File "/Library/Python/2.7/site-packages/scapy/sendrecv.py", line 586, in sniff
    r = prn(p)
  File "/Users/admin/Desktop/net-creds.py", line 164, in pkt_parser
    src_ip_port = str(pkt[IP].src) + ':' + str(pkt[TCP].sport)
  File "/Library/Python/2.7/site-packages/scapy/packet.py", line 789, in __getitem__
    raise IndexError("Layer [%s] not found" % lname)
IndexError: Layer [IP] not found

I've been looking for an answer to it, but I can't seem to find one. I'm leaning towards it being an issue with iproute2mac as the author states "Provided functionality is limited and command output is not fully compatible with iproute2." (https://github.com/brona/iproute2mac) But maybe it's a scapy issue?

[DanMcInerney]

This is actually an error in scapy, I may've just fixed it by adding a
check for the IP layer. Before it was checking for TCP + RAW layers but was
calling the IP layer as well so I added a check for TCP + RAW + IP. Pull
down the latest and see if that resolved the issue.

On Tue, Mar 3, 2015 at 5:32 PM, epocs notifications@github.com wrote:

Reopened #1 #1.

—
Reply to this email directly or view it on GitHub
#1 (comment).

[frankea]

That seems to have resolved the crash. The script is running and I see data populating, however I don't see any credentials being logged. Tried several websites (HTTP and HTTPS), and checked my e-mail accounts (three IMAPS). I did get a result when connecting via SMB to another server, but the password looks to be hashed.

Also, to clarify my previous posts, in order to use

brew tap brona/iproute2mac
brew install iproute2mac

the end user must first install Homebrew (http://brew.sh). I'm going to go through the process again on my home machine and document the steps needed to get it running. I think I left a few assumptions in there.

[DanMcInerney]

It can't sniff HTTPS traffic, you'd have to use SSLStrip or serve a fake cert to read any IMAPS or HTTPS traffic since it's encrypted. SMB uses NETNTLM which is a challenge:response hash protocol rather than cleartext so you would have to crack that hash with hashcat.

[frankea]

That's kinda what I thought. Not an expert on that front. I've outlined the steps needed to get this running on OS X, with having Homebrew (http://brew.sh) install as a prerequisite (each line is a separate command):

sudo easy_install pip
sudo pip install scapy
sudo pip install pcapy
brew install libdnet --with-python
mkdir -p /Users/<username>/Library/Python/2.7/lib/python/site-packages
echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/<username>/Library/Python/2.7/lib/python/site-packages/homebrew.pth
sudo pip install pypcap
brew tap brona/iproute2mac
brew install iproute2mac

After all that, replace /sbin/ip with /usr/local/bin/ip in the script and you should be good to go.

[DanMcInerney]

Thank you very much!

[misterjangles]

I'm having this issue running net-creds.py on a macbook air with mavericks. I followed epocs instructions and here is the error I'm getting,

Traceback (most recent call last):
File "net-creds.py", line 7, in
from scapy.all import *
File "/Library/Python/2.7/site-packages/scapy/all.py", line 16, in
from arch import *
File "/Library/Python/2.7/site-packages/scapy/arch/init.py", line 75, in
from bsd import *
File "/Library/Python/2.7/site-packages/scapy/arch/bsd.py", line 12, in
from unix import *
File "/Library/Python/2.7/site-packages/scapy/arch/unix.py", line 20, in
from pcapdnet import *
File "/Library/Python/2.7/site-packages/scapy/arch/pcapdnet.py", line 173, in
import dnet
ImportError: No module named dnet

Hope someone can help.
Thanks