Pcap Inspection
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
The following tools are useful to extract statistics, files, etc.
You can find some Wireshark tricks in:
Pcap analysis from the browser.
Install
Run
Access to 127.0.0.1:9876 with credentials xplico:xplico
Then create a new case, create a new session inside the case and upload the pcap file.
Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
Build a visual network diagram (Network nodes & users)
Extract DNS queries
Reconstruct all TCP & UDP Sessions
File Carving
If you are looking for something inside the pcap you can use ngrep. Here is an example using the main filters:
Using common carving techniques can be useful to extract files and information from the pcap:
Install and setup
Check pcap
Reads a PCAP File and Extracts Http Streams.
gzip deflates any compressed streams
Scans every file with yara
Writes a report.txt
Optionally saves matching files to a Dir
Check if you can find any fingerprint of a known malware:
Basically, logs created by zeek
aren't pcaps. Therefore you will need to use other tools to analyse the logs where the information about the pcaps are.
is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
If the header of your pcap is broken you should try to fix it using:
Extract information and search for malware inside a pcap in
Search for malicious activity using and
Full pcap analysis from the browser in
(only linux) can analyze a pcap and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download . It works with Windows. This tool is also useful to get other information analysed from the packets in order to be able to know what was happening in a quicker way.
You can download (It works in Windows). This is another useful tool that analyses the packets and sorts the information in a useful way to know what is happening inside.
You can use tools like to parse credentials from a pcap or a live interface.
is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
is a tool that
is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.