Pcap Inspection
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
Online tools for pcaps
If the header of your pcap is broken you should try to fix it using: http://f00l.de/hacking/pcapfix.php
Extract information and search for malware inside a pcap in PacketTotal
Search for malicious activity using www.virustotal.com and www.hybrid-analysis.com
Full pcap analysis from the browser in https://apackets.com/
Extract Information
The following tools are useful to extract statistics, files, etc.
Wireshark
If you are going to analyze a PCAP you basically must to know how to use Wireshark
You can find some Wireshark tricks in:
Wireshark tricksPcap analysis from the browser.
Xplico Framework
Xplico (only linux) can analyze a pcap and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Install
Run
Access to 127.0.0.1:9876 with credentials xplico:xplico
Then create a new case, create a new session inside the case and upload the pcap file.
NetworkMiner
Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download here. It works with Windows. This tool is also useful to get other information analysed from the packets in order to be able to know what was happening in a quicker way.
NetWitness Investigator
You can download NetWitness Investigator from here (It works in Windows). This is another useful tool that analyses the packets and sorts the information in a useful way to know what is happening inside.
Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
Build a visual network diagram (Network nodes & users)
Extract DNS queries
Reconstruct all TCP & UDP Sessions
File Carving
Capinfos
Ngrep
If you are looking for something inside the pcap you can use ngrep. Here is an example using the main filters:
Carving
Using common carving techniques can be useful to extract files and information from the pcap:
File/Data Carving & Recovery ToolsCapturing credentials
You can use tools like https://github.com/lgandx/PCredz to parse credentials from a pcap or a live interface.
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Check Exploits/Malware
Suricata
Install and setup
Check pcap
YaraPcap
YaraPCAP is a tool that
Reads a PCAP File and Extracts Http Streams.
gzip deflates any compressed streams
Scans every file with yara
Writes a report.txt
Optionally saves matching files to a Dir
Malware Analysis
Check if you can find any fingerprint of a known malware:
Malware AnalysisZeek
Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
Basically, logs created by zeek
aren't pcaps. Therefore you will need to use other tools to analyse the logs where the information about the pcaps are.
Connections Info
DNS info
Other pcap analysis tricks
DNSCat pcap analysisWifi Pcap AnalysisUSB Keystrokes
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Last updated