Pcap Inspection
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
If the header of your pcap is broken you should try to fix it using: http://f00l.de/hacking/pcapfix.php
Extract information and search for malware inside a pcap in PacketTotal
Search for malicious activity using www.virustotal.com and www.hybrid-analysis.com
Full pcap analysis from the browser in https://apackets.com/
The following tools are useful to extract statistics, files, etc.
If you are going to analyze a PCAP you basically must to know how to use Wireshark
You can find some Wireshark tricks in:
Wireshark tricksPcap analysis from the browser.
Xplico (only linux) can analyze a pcap and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Install
Run
Access to 127.0.0.1:9876 with credentials xplico:xplico
Then create a new case, create a new session inside the case and upload the pcap file.
Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download here. It works with Windows. This tool is also useful to get other information analysed from the packets in order to be able to know what was happening in a quicker way.
You can download NetWitness Investigator from here (It works in Windows). This is another useful tool that analyses the packets and sorts the information in a useful way to know what is happening inside.
Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
Build a visual network diagram (Network nodes & users)
Extract DNS queries
Reconstruct all TCP & UDP Sessions
File Carving
If you are looking for something inside the pcap you can use ngrep. Here is an example using the main filters:
Using common carving techniques can be useful to extract files and information from the pcap:
File/Data Carving & Recovery ToolsYou can use tools like https://github.com/lgandx/PCredz to parse credentials from a pcap or a live interface.
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Install and setup
Check pcap
YaraPCAP is a tool that
Reads a PCAP File and Extracts Http Streams.
gzip deflates any compressed streams
Scans every file with yara
Writes a report.txt
Optionally saves matching files to a Dir
Check if you can find any fingerprint of a known malware:
Malware AnalysisZeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
Basically, logs created by zeek
aren't pcaps. Therefore you will need to use other tools to analyse the logs where the information about the pcaps are.
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)