#!/usr/bin/env python3 try: import dpkt except ImportError: sys.stderr.write("Please install 'dpkt' package for Python, running 'pip install --user dpkt' should work\n") sys.exit(1) import binascii import sys import re def extract_snmpv3(pcap_path): with open(pcap_path, 'rb') as f: pcap = dpkt.pcap.Reader(f) for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) if not isinstance(eth.data, dpkt.ip.IP): continue ip = eth.data if not isinstance(ip.data, dpkt.udp.UDP): continue udp = ip.data if udp.dport != 161: continue data = bytearray(udp.data) # Try to find username (OCTET STRING with printable characters) matches = re.findall(rb'\x04[\x01-\x20]([a-zA-Z0-9_\-]{3,32})', data) if not matches: continue username = matches[0].decode(errors="ignore") # engineID (0x04 0x0b + 11 bytes) engid_index = data.find(b'\x04\x0b') if engid_index == -1 or len(data) < engid_index + 13: continue engine_id = data[engid_index+2:engid_index+13] # authParameters (0x04 0x0c + 12 bytes) auth_index = data.find(b'\x04\x0c') if auth_index == -1 or len(data) < auth_index + 14: continue auth_digest = data[auth_index+2:auth_index+14] data[auth_index+2:auth_index+14] = b'\x00' * 12 # Check for privParameters (0x04 0x08 + 8 bytes) priv_index = data.find(b'\x04\x08') has_priv = False priv_params = b'' if priv_index != -1 and len(data) >= priv_index + 10: priv_params = data[priv_index+2:priv_index+10] has_priv = True # Hex-encode parts snmpv3_pdu_hex = binascii.hexlify(data).decode() engine_id_hex = engine_id.hex() auth_digest_hex = binascii.hexlify(auth_digest).decode() # Build output for JtR if has_priv: priv_hex = binascii.hexlify(priv_params).decode() jtr_line = f"$SNMPv3$1$4${snmpv3_pdu_hex}${engine_id_hex}${auth_digest_hex}${priv_hex}" else: jtr_line = f"$SNMPv3$1$3${snmpv3_pdu_hex}${engine_id_hex}${auth_digest_hex}" print(jtr_line) return print("SNMPv3-packet could not be extracted.") # --- Main --- if len(sys.argv) != 2: print("Usage: snmptojohn.py file.pcap") sys.exit(1) extract_snmpv3(sys.argv[1])