hacktricks/forensics/basic-forensic-methodology/pcap-inspection
2021-05-28 17:53:46 +00:00
..
dnscat-exfiltration.md GitBook: [master] 12 pages modified 2021-05-28 17:40:28 +00:00
README.md GitBook: [master] 476 pages modified 2021-05-28 17:53:46 +00:00
usb-keyboard-pcap-analysis.md GitBook: [master] 12 pages modified 2021-05-28 17:40:28 +00:00
wifi-pcap-analysis.md GitBook: [master] 12 pages modified 2021-05-28 17:40:28 +00:00
wireshark-tricks.md GitBook: [master] 12 pages modified 2021-05-28 17:40:28 +00:00

Pcap Inspection

{% hint style="info" %} A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools. {% endhint %}

Online tools for pcaps

Extract Information

The following tools are useful to extract statistic, files...

Wireshark

{% hint style="info" %} If you are going to analyze a PCAP you basically must to know how to use Wireshark {% endhint %}

You can find some Wireshark trick in:

{% page-ref page="wireshark-tricks.md" %}

Xplico Framework

Xplico can analyze a pcap and extract information from it. For example, from a pcap file Xplico extracts each email POP, IMAP, and SMTP protocols, all HTTP contents, each VoIP call SIP, FTP, TFTP, and so on.

Install

sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico

Run

/etc/init.d/apache2 restart
/etc/init.d/xplico start

Access to 127.0.0.1:9876 with credentials xplico:xplico

Then create a new case, create a new session inside the case and upload the pcap file.

NetworkMiner

Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download here.

BruteShark

  • Extracting and encoding usernames and passwords HTTP, FTP, Telnet, IMAP, SMTP...
  • Extract authentication hashes and crack them using Hashcat Kerberos, NTLM, CRAM-MD5, HTTP-Digest...
  • Build visual network diagram Network nodes & users
  • Extract DNS queries
  • Reconstruct all TCP & UDP Sessions
  • File Carving

Capinfos

capinfos capture.pcap

Ngrep

If you are looking for something inside the pcap you can use ngrep. And example using the main filters:

ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"

Carving

Using common carving techniques can be useful to extract files and information from the pcap:

{% page-ref page="../partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}

Check Exploits/Malware

Suricata

Install and setup

apt-get install suricata
apt-get install oinkmaster
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Check pcap

suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log

YaraPcap

****YaraPCAP is a tool that

  • Reads a PCAP File and Extracts Http Streams.
  • gzip deflates any compressed streams
  • Scans every file with yara
  • writes a report.txt
  • optionally saves matching files to a Dir

Malware Analysis

Check if you can find any fingerprint of a known malware:

{% page-ref page="../malware-analysis.md" %}

Other pcap analysis tricks

{% page-ref page="dnscat-exfiltration.md" %}

{% page-ref page="usb-keyboard-pcap-analysis.md" %}

{% page-ref page="wifi-pcap-analysis.md" %}