hacktricks/forensics/basic-forensic-methodology/pcap-inspection/README.md

139 lines
4.6 KiB
Markdown
Raw Normal View History

2021-05-28 17:40:28 +00:00
# Pcap Inspection
2021-05-28 17:51:59 +00:00
{% hint style="info" %}
A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; P**CAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
{% endhint %}
## Online tools for pcaps
* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)\*\*\*\*
* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com/)\*\*\*\*
2020-12-11 23:06:04 +00:00
* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com/) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com/)\*\*\*\*
2021-05-28 17:40:28 +00:00
## Extract Information
2021-05-28 17:40:28 +00:00
The following tools are useful to extract statistic, files...
2020-12-06 00:31:08 +00:00
2021-05-28 17:40:28 +00:00
### Wireshark
2021-05-28 17:40:28 +00:00
{% hint style="info" %}
**If you are going to analyze a PCAP you basically must to know how to use Wireshark**
{% endhint %}
2021-05-28 17:40:28 +00:00
You can find some Wireshark trick in:
2021-05-28 17:40:28 +00:00
{% page-ref page="wireshark-tricks.md" %}
2021-05-28 17:40:28 +00:00
### Xplico Framework
2021-08-19 16:19:41 +00:00
\*\*\*\*[**Xplico** ](https://github.com/xplico/xplico)_\(only linux\)_ ****can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email \(POP, IMAP, and SMTP protocols\), all HTTP contents, each VoIP call \(SIP\), FTP, TFTP, and so on.
2021-05-28 17:40:28 +00:00
#### Install
2021-01-26 09:28:32 +00:00
```bash
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico
```
2021-05-28 17:40:28 +00:00
#### Run
```text
/etc/init.d/apache2 restart
/etc/init.d/xplico start
```
Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
2021-05-28 17:40:28 +00:00
### NetworkMiner
2021-08-19 16:19:41 +00:00
Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.
This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening there in a **quick** way.
### NetWitness Investigator
2021-08-19 16:19:41 +00:00
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **\(It works in Windows\)**.
This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
![](../../../.gitbook/assets/image%20%28570%29.png)
2021-05-28 17:40:28 +00:00
### [BruteShark](https://github.com/odedshimon/BruteShark)
2021-01-26 09:28:32 +00:00
* Extracting and encoding usernames and passwords \(HTTP, FTP, Telnet, IMAP, SMTP...\)
* Extract authentication hashes and crack them using Hashcat \(Kerberos, NTLM, CRAM-MD5, HTTP-Digest...\)
* Build visual network diagram \(Network nodes & users\)
* Extract DNS queries
* Reconstruct all TCP & UDP Sessions
* File Carving
2021-05-28 17:40:28 +00:00
### Capinfos
```text
capinfos capture.pcap
```
### Ngrep
If you are **looking** for **something** inside the pcap you can use **ngrep**. And example using the main filters:
2021-08-19 16:19:41 +00:00
```bash
2021-05-28 17:40:28 +00:00
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
```
### Carving
Using common carving techniques can be useful to extract files and information from the pcap:
2021-05-28 17:53:46 +00:00
{% page-ref page="../partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
2021-05-28 17:40:28 +00:00
2021-06-27 13:00:19 +00:00
### Capturing credentials
You can us tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface.
2021-05-28 17:40:28 +00:00
## Check Exploits/Malware
### Suricata
#### Install and setup
```text
apt-get install suricata
apt-get install oinkmaster
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
```
#### Check pcap
```text
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
```
### YaraPcap
\*\*\*\*[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that
* Reads a PCAP File and Extracts Http Streams.
* gzip deflates any compressed streams
* Scans every file with yara
* writes a report.txt
* optionally saves matching files to a Dir
2021-05-28 17:51:59 +00:00
### Malware Analysis
Check if you can find any fingerprint of a known malware:
{% page-ref page="../malware-analysis.md" %}
## Other pcap analysis tricks
2021-05-28 17:40:28 +00:00
{% page-ref page="dnscat-exfiltration.md" %}
{% page-ref page="usb-keyboard-pcap-analysis.md" %}
{% page-ref page="wifi-pcap-analysis.md" %}