Credence

Warning

This tool is still in early development, expect bugs and missing features until v1.0.0

cred is a tool inspired by PCredz. It does (mostly) the same things, such as CC number extraction, NTLM, Kerberos, HTTP Basic, SNMP, POP, SMTP, FTP, IMAP and more from .pcap files. It tries to be compatible with PCredz, but I cannot guarantee anything, since this is a hobby project I made for myself.

Note

Unlike PCredz, cred cannot capture frm live interfaces because it's built using the 'pure' Go variant of the packet library made by Google to avoid relying on libpcap externally. This is being worked on and maybe this feature will be added as a compile flag or something, no promises though.

Also, this is for GNU/Linux only. I don't plan to support Mocosoft Windows or MacOS. Though, if a merge request lands here for that I won't reject it either.

Installation

TODO

Usage

If you wish to test with a dummy .pcap file use the python script at the genpcap/ directory. For that script to work you'll need to first make an empty test_full_coverage.pcap file first. I really don't recommend you using that script though...

$ cred -f capture.pcap
$ cred -d /path/to/pcaps
$ cred -i eth0 -o /tmp/credence

Options mirror the original PCredz script:

• -f, -d, -i select a single file, a directory or a live interface at a time.
• -c disables credit card detection (enabled by default).
• -t includes UNIX timestamps in every message (useful for correlation).
• -v prints every finding even if it was already reported in the current run.
• -o changes the output directory (defaults to the current working directory).

Logs are written under logs/ inside the output path, matching the structure of the original PCredz release, and a CredentialDump-Session.log session file records every finding chronologically.

Disclaimer

The goal of this tool is for defensive purposes, for network admins and blue team members to test their own networks to discard any sensible data being exposed by accident or prove that safer protocols need to be used over the network.

COPYING

Since this is based on PCredz which is licensed under the GPLv3+ license, the source code of this repository (where applicable) is also under the terms of the GNU General Public License version 3 or at your option any later version.

System requirements

• Go toolchain (1.20+ recommended). CGO is optional for file/directory parsing; live capture requires CGO with libpcap available on the system.
• A user account with permission to read .pcap files. Live capture typically needs CAP_NET_RAW or root privileges.
• Sufficient disk space for log outputs under the chosen -o directory.

Installation from source

$ git clone https://github.com/FuncProgLinux/credence.git
$ cd credence
$ make build

For live capture builds, ensure libpcap development headers are installed and build without CGO_ENABLED=0:

CGO_ENABLED=1 go build ./cmd/...

If you only need offline parsing, CGO_ENABLED=0 works and produces a dependency-free binary.

Detailed usage examples

• Parse a single file and write outputs under the current directory:

$ cred -f traffic.pcap

• Recursively process a directory, store logs under /tmp/credence, and suppress duplicate prints:

$ cred -d /var/captures -o /tmp/credence -v=false

• Include timestamps for SIEM correlation:

$ cred -f incident.pcap -t

Live capture considerations

• By default (when built with CGO_ENABLED=0) live capture is disabled. The binary will respond with a clear error if -i is provided without CGO.
• To enable live capture, compile with CGO and ensure libpcap is present, then run with -i <interface>. Root or the CAP_NET_RAW capability is typically required.
• Avoid running on production interfaces without change control; capturing traffic can have privacy and performance implications.

Output and logging

• Session log: CredentialDump-Session.log in the output directory captures a chronological feed of discoveries.
• Parsed findings are written under logs/ with filenames matching PCredz conventions (e.g., HTTP-Basic.txt, NTLMv2.txt, MSKerb.txt).
• Duplicate suppression is applied unless -v is set.
• Use -t when you need precise event timing in downstream analysis.

Data handling and safety

• Only analyze traffic you are authorized to inspect. Collected credentials and payment data can be sensitive; protect the output directory accordingly.
• Consider encrypting archives of log output and restricting access via file permissions (chmod 700 <output-dir>).
• Review and purge outputs after an engagement per your organization’s data retention policy.

Troubleshooting

• Live capture error: Ensure CGO is enabled and libpcap headers are installed; check for required privileges on the interface.
• Empty outputs: Confirm the capture contains application-layer data; some captures may be encrypted (HTTPS, SSH) and won’t yield credentials.
• Permission denied writing logs: Point -o to a writable location (e.g., /tmp/credence) or adjust directory permissions.
• High CPU on large pcaps: Run with -v=false to reduce console output and consider processing smaller batches of files.