HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Pcap Inspection

Pcap Inspection

Support HackTricks and get benefits!
A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.

Online tools for pcaps

Extract Information

The following tools are useful to extract statistic, files...

Wireshark

If you are going to analyze a PCAP you basically must to know how to use Wireshark
You can find some Wireshark trick in:

Xplico Framework

โ€‹Xplico (only linux) can analyze a pcap and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Install
1
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
2
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
3
sudo apt-get update
4
sudo apt-get install xplico
Copied!
Run
1
/etc/init.d/apache2 restart
2
/etc/init.d/xplico start
Copied!
Access to 127.0.0.1:9876 with credentials xplico:xplico
Then create a new case, create a new session inside the case and upload the pcap file.

NetworkMiner

Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download here. It works with Windows. This tool is also useful to get other information analysed from the packets in order to be able to know what was happening there in a quick way.

NetWitness Investigator

You can download NetWitness Investigator from here (It works in Windows). This is another useful tool that analyse the packets and sort the information in a useful way to know what is happening inside.

โ€‹BruteSharkโ€‹

  • Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
  • Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
  • Build visual network diagram (Network nodes & users)
  • Extract DNS queries
  • Reconstruct all TCP & UDP Sessions
  • File Carving

Capinfos

1
capinfos capture.pcap
Copied!

Ngrep

If you are looking for something inside the pcap you can use ngrep. And example using the main filters:
1
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
Copied!

Carving

Using common carving techniques can be useful to extract files and information from the pcap:

Capturing credentials

You can us tools like https://github.com/lgandx/PCredz to parse credentials from a pcap or a live interface.

Check Exploits/Malware

Suricata

Install and setup
1
apt-get install suricata
2
apt-get install oinkmaster
3
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
4
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Copied!
Check pcap
1
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
Copied!

YaraPcap

โ€‹YaraPCAP is a tool that
  • Reads a PCAP File and Extracts Http Streams.
  • gzip deflates any compressed streams
  • Scans every file with yara
  • writes a report.txt
  • optionally saves matching files to a Dir

Malware Analysis

Check if you can find any fingerprint of a known malware:

Zeek

Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
Basically, logs created by zeek aren't pcaps. Therefore you will need to use other tools to analyse the logs where the information about the pcaps are.

Connections Info

1
#Get info about longest connections (add "grep udp" to see only udp traffic)
2
#The longest connection might be of malware (constant reverse shell?)
3
cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service duration | sort -nrk 7 | head -n 10
4
โ€‹
5
10.55.100.100 49778 65.52.108.225 443 tcp - 86222.365445
6
10.55.100.107 56099 111.221.29.113 443 tcp - 86220.126151
7
10.55.100.110 60168 40.77.229.82 443 tcp - 86160.119664
8
โ€‹
9
โ€‹
10
#Improve the metrics by summing up the total duration time for connections that have the same destination IP and Port.
11
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += $5 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
12
โ€‹
13
10.55.100.100 65.52.108.225 443 tcp 86222.4
14
10.55.100.107 111.221.29.113 443 tcp 86220.1
15
10.55.100.110 40.77.229.82 443 tcp 86160.1
16
โ€‹
17
#Get the number of connectionssummed up per each line
18
cat conn.log | zeek-cut id.orig_h id.resp_h duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2] += $3; count[$1 FS $2] += 1 } END{ for (key in arr) printf "%s%s%s%s%s\n", key, FS, count[key], FS, arr[key] }' | sort -nrk 4 | head -n 10
19
โ€‹
20
10.55.100.100 65.52.108.225 1 86222.4
21
10.55.100.107 111.221.29.113 1 86220.1
22
10.55.100.110 40.77.229.82 134 86160.1
23
โ€‹
24
#Check if any IP is connecting to 1.1.1.1
25
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service | grep '1.1.1.1' | sort | uniq -c
26
โ€‹
27
#Get number of connections per source IP, dest IP and dest Port
28
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += 1 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
29
โ€‹
30
โ€‹
31
# RITA
32
#Something similar can be done with the tool rita
33
rita show-long-connections -H --limit 10 zeek_logs
34
โ€‹
35
+---------------+----------------+--------------------------+----------------+
36
| SOURCE IP | DESTINATION IP | DSTPORT:PROTOCOL:SERVICE | DURATION |
37
+---------------+----------------+--------------------------+----------------+
38
| 10.55.100.100 | 65.52.108.225 | 443:tcp:- | 23h57m2.3655s |
39
| 10.55.100.107 | 111.221.29.113 | 443:tcp:- | 23h57m0.1262s |
40
| 10.55.100.110 | 40.77.229.82 | 443:tcp:- | 23h56m0.1197s |
41
โ€‹
42
#Get connections info from rita
43
rita show-beacons zeek_logs | head -n 10
44
Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top Intvl,Top Size,Top Intvl Count,Top Size Count,Intvl Skew,Size Skew,Intvl Dispersion,Size Dispersion
45
1,192.168.88.2,165.227.88.15,108858,197,860,182,1,89,53341,108319,0,0,0,0
46
1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0
47
0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
Copied!

DNS info

1
#Get info about each DNS request performed
2
cat dns.log | zeek-cut -c id.orig_h query qtype_name answers
3
โ€‹
4
#Get number of times each domain was requestedand get top 10
5
cat dns.log | zeek-cut query | sort | uniq | rev | cut -d '.' -f 1-2 | rev | sort | uniq -c | sort -nr | head -n 10
6
โ€‹
7
#Get all the IPs
8
cat dns.log | zeek-cut id.orig_h query | grep 'example\.com' | cut -f 1 | sort | uniq -c
9
โ€‹
10
#Sort the most common dnsrecord request (should be A)
11
cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
12
โ€‹
13
#See top DNS domain requested with rita
14
rita show-exploded-dns -H --limit 10 zeek_logs
Copied!

Other pcap analysis tricks

Support HackTricks and get benefits!