hacktricks/forensics/basic-forensic-methodology/pcap-inspection/README.md

271 lines
14 KiB
Markdown
Raw Normal View History

2022-04-28 23:27:22 +00:00
# Pcap Inspection
2022-04-28 16:01:33 +00:00
<details>
2023-03-05 23:16:20 +00:00
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2023-01-02 12:00:18 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
2022-10-25 15:56:49 +00:00
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
2021-05-28 17:51:59 +00:00
{% hint style="info" %}
A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
2021-05-28 17:51:59 +00:00
{% endhint %}
2022-05-01 13:25:53 +00:00
## Online tools for pcaps
2022-04-05 22:24:52 +00:00
* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)
* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com)
* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com)
2022-05-01 13:25:53 +00:00
## Extract Information
2022-09-10 08:19:19 +00:00
The following tools are useful to extract statistics, files, etc.
2020-12-06 00:31:08 +00:00
2022-05-01 13:25:53 +00:00
### Wireshark
2021-05-28 17:40:28 +00:00
{% hint style="info" %}
**If you are going to analyze a PCAP you basically must to know how to use Wireshark**
{% endhint %}
2022-09-10 08:19:19 +00:00
You can find some Wireshark tricks in:
{% content-ref url="wireshark-tricks.md" %}
[wireshark-tricks.md](wireshark-tricks.md)
{% endcontent-ref %}
2022-05-01 13:25:53 +00:00
### Xplico Framework
2022-09-10 08:19:19 +00:00
[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
2022-04-28 23:27:22 +00:00
**Install**
2021-01-26 09:28:32 +00:00
```bash
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico
```
2022-04-28 23:27:22 +00:00
**Run**
```
/etc/init.d/apache2 restart
/etc/init.d/xplico start
```
2021-11-30 16:46:07 +00:00
Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
2022-05-01 13:25:53 +00:00
### NetworkMiner
2021-11-30 16:46:07 +00:00
Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.\
2022-09-10 08:19:19 +00:00
This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening in a **quicker** way.
2022-05-01 13:25:53 +00:00
### NetWitness Investigator
2021-11-30 16:46:07 +00:00
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
2022-09-10 08:19:19 +00:00
This is another useful tool that **analyses the packets** and sorts the information in a useful way to **know what is happening inside**.
2023-03-05 19:54:13 +00:00
![](<../../../.gitbook/assets/image (567) (1) (1).png>)
2022-05-01 13:25:53 +00:00
### [BruteShark](https://github.com/odedshimon/BruteShark)
2021-01-26 09:28:32 +00:00
* Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
* Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
2022-09-10 08:19:19 +00:00
* Build a visual network diagram (Network nodes & users)
2021-01-26 09:28:32 +00:00
* Extract DNS queries
* Reconstruct all TCP & UDP Sessions
* File Carving
2022-05-01 13:25:53 +00:00
### Capinfos
2021-05-28 17:40:28 +00:00
```
2021-05-28 17:40:28 +00:00
capinfos capture.pcap
```
2022-05-01 13:25:53 +00:00
### Ngrep
2021-05-28 17:40:28 +00:00
2022-09-10 08:19:19 +00:00
If you are **looking** for **something** inside the pcap you can use **ngrep**. Here is an example using the main filters:
2021-05-28 17:40:28 +00:00
2021-08-19 16:19:41 +00:00
```bash
2021-05-28 17:40:28 +00:00
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
```
2022-05-01 13:25:53 +00:00
### Carving
2021-05-28 17:40:28 +00:00
Using common carving techniques can be useful to extract files and information from the pcap:
{% content-ref url="../partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](../partitions-file-systems-carving/file-data-carving-recovery-tools.md)
{% endcontent-ref %}
2021-05-28 17:40:28 +00:00
2022-05-01 13:25:53 +00:00
### Capturing credentials
2021-06-27 13:00:19 +00:00
2022-09-10 08:19:19 +00:00
You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface.
2021-06-27 13:00:19 +00:00
2022-10-25 15:56:49 +00:00
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
2022-05-01 13:25:53 +00:00
## Check Exploits/Malware
2021-05-28 17:40:28 +00:00
2022-05-01 13:25:53 +00:00
### Suricata
2021-05-28 17:40:28 +00:00
2022-04-28 23:27:22 +00:00
**Install and setup**
2021-05-28 17:40:28 +00:00
```
2021-05-28 17:40:28 +00:00
apt-get install suricata
apt-get install oinkmaster
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
```
2022-04-28 23:27:22 +00:00
**Check pcap**
2021-05-28 17:40:28 +00:00
```
2021-05-28 17:40:28 +00:00
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
```
2022-05-01 13:25:53 +00:00
### YaraPcap
2021-05-28 17:40:28 +00:00
2022-04-05 22:24:52 +00:00
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that
2021-05-28 17:40:28 +00:00
* Reads a PCAP File and Extracts Http Streams.
* gzip deflates any compressed streams
* Scans every file with yara
2022-09-10 08:19:19 +00:00
* Writes a report.txt
* Optionally saves matching files to a Dir
2021-05-28 17:40:28 +00:00
2022-05-01 13:25:53 +00:00
### Malware Analysis
2021-05-28 17:51:59 +00:00
Check if you can find any fingerprint of a known malware:
{% content-ref url="../malware-analysis.md" %}
[malware-analysis.md](../malware-analysis.md)
{% endcontent-ref %}
2021-05-28 17:51:59 +00:00
2022-05-01 13:25:53 +00:00
## Zeek
2022-09-10 08:19:19 +00:00
> Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
2021-11-30 16:46:07 +00:00
Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
2022-05-01 13:25:53 +00:00
### Connections Info
```bash
#Get info about longest connections (add "grep udp" to see only udp traffic)
#The longest connection might be of malware (constant reverse shell?)
cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service duration | sort -nrk 7 | head -n 10
10.55.100.100 49778 65.52.108.225 443 tcp - 86222.365445
10.55.100.107 56099 111.221.29.113 443 tcp - 86220.126151
10.55.100.110 60168 40.77.229.82 443 tcp - 86160.119664
#Improve the metrics by summing up the total duration time for connections that have the same destination IP and Port.
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += $5 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
10.55.100.100 65.52.108.225 443 tcp 86222.4
10.55.100.107 111.221.29.113 443 tcp 86220.1
10.55.100.110 40.77.229.82 443 tcp 86160.1
2022-09-10 08:19:19 +00:00
#Get the number of connections summed up per each line
cat conn.log | zeek-cut id.orig_h id.resp_h duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2] += $3; count[$1 FS $2] += 1 } END{ for (key in arr) printf "%s%s%s%s%s\n", key, FS, count[key], FS, arr[key] }' | sort -nrk 4 | head -n 10
10.55.100.100 65.52.108.225 1 86222.4
10.55.100.107 111.221.29.113 1 86220.1
10.55.100.110 40.77.229.82 134 86160.1
#Check if any IP is connecting to 1.1.1.1
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service | grep '1.1.1.1' | sort | uniq -c
#Get number of connections per source IP, dest IP and dest Port
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += 1 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
2022-05-01 12:41:36 +00:00
# RITA
#Something similar can be done with the tool rita
rita show-long-connections -H --limit 10 zeek_logs
+---------------+----------------+--------------------------+----------------+
| SOURCE IP | DESTINATION IP | DSTPORT:PROTOCOL:SERVICE | DURATION |
+---------------+----------------+--------------------------+----------------+
| 10.55.100.100 | 65.52.108.225 | 443:tcp:- | 23h57m2.3655s |
| 10.55.100.107 | 111.221.29.113 | 443:tcp:- | 23h57m0.1262s |
| 10.55.100.110 | 40.77.229.82 | 443:tcp:- | 23h56m0.1197s |
#Get connections info from rita
rita show-beacons zeek_logs | head -n 10
Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top Intvl,Top Size,Top Intvl Count,Top Size Count,Intvl Skew,Size Skew,Intvl Dispersion,Size Dispersion
1,192.168.88.2,165.227.88.15,108858,197,860,182,1,89,53341,108319,0,0,0,0
1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0
0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
```
2022-05-01 13:25:53 +00:00
### DNS info
```bash
#Get info about each DNS request performed
cat dns.log | zeek-cut -c id.orig_h query qtype_name answers
2022-09-10 08:19:19 +00:00
#Get the number of times each domain was requested and get the top 10
cat dns.log | zeek-cut query | sort | uniq | rev | cut -d '.' -f 1-2 | rev | sort | uniq -c | sort -nr | head -n 10
#Get all the IPs
cat dns.log | zeek-cut id.orig_h query | grep 'example\.com' | cut -f 1 | sort | uniq -c
2022-09-10 08:19:19 +00:00
#Sort the most common DNS record request (should be A)
cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
#See top DNS domain requested with rita
rita show-exploded-dns -H --limit 10 zeek_logs
```
2022-05-01 13:25:53 +00:00
## Other pcap analysis tricks
{% content-ref url="dnscat-exfiltration.md" %}
[dnscat-exfiltration.md](dnscat-exfiltration.md)
{% endcontent-ref %}
{% content-ref url="wifi-pcap-analysis.md" %}
[wifi-pcap-analysis.md](wifi-pcap-analysis.md)
{% endcontent-ref %}
{% content-ref url="usb-keystrokes.md" %}
[usb-keystrokes.md](usb-keystrokes.md)
{% endcontent-ref %}
2022-04-28 16:01:33 +00:00
2022-10-25 15:56:49 +00:00
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
2022-04-28 16:01:33 +00:00
<details>
2023-03-05 23:16:20 +00:00
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2023-01-02 12:00:18 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>