Some more tools for examining packet captures

I wanted to take a quick look at some other free open source tools I can use to help me look at packet capture files. While Wireshark is an amazing tool, we have some other tools which can generate some reports about the packet capture or search for important information in a capture.

A quick note on packet capturing: As more websites start using HTTPS and more users switch over to secure protocols like SFTP, SMTPS, and SSH, packet captures become less useful to us.
However, analyzing packet captures in a corporate environment is still alive. Corporate IT sometimes installs a root certificate on each machine to intercept encrypted traffic in a classic man-in-the-middle attack by signing the certificate for a website themselves.

The first tool I’ll look at is called PCredz. It is available to install in Kali using aptitude. You can read more about PCredz here: https://github.com/lgandx/PCredz

Looking at the packet capture we analyzed, we see that pcredz picked up the brute force attempts at the FTP server.

$ sudo pcredz -f packet_capture1.pcap
Pcredz 0.9
Author: Laurent Gaffie
Please send bugs/comments/pcaps to: lgaffie@trustwave.com
This script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.
CC number scanning activated
Unknown format, trying TCPDump format
protocol: tcp 192.168.154.129:49132 > 192.168.154.131:21
FTP User: bjones
FTP Pass: anxiety

protocol: tcp 192.168.154.129:49129 > 192.168.154.131:21
FTP User: bjones
FTP Pass: alazreal

protocol: tcp 192.168.154.129:49135 > 192.168.154.131:21
FTP User: bjones
FTP Pass: bailey

protocol: tcp 192.168.154.129:49131 > 192.168.154.131:21
FTP User: bjones
FTP Pass: beetlebailey

And so on and so forth. This is a quick and easy way to scan packet captures for login information.

Another cool tool I found is tcptrace. The tcptrace manual says it looks at files and summarizes the connections therein inside a .txt file.

$ tcptrace packet_capture1.pcap > tcptrace.txt
TCP packet 9913: reserved bits are not all zero.
Further warnings disabled, use '-w' for more info
$ ls
packet_capture1.pcap tcptrace.txt

Another cool tool, txpxtract, can look at a capture file and rebuild the files (similar to what foremost was doing in my previous post).

$ mkdir extract
$ sudo tcpxtract -f packet_capture1.pcap -o extract/
Found file of type "html" in session [192.168.154.129:40921 -> 93.184.216.229:20480], exporting to extract/00000000.html
Found file of type "html" in session [192.168.154.129:40921 -> 93.184.216.229:20480], exporting to extract/00000001.html
Found file of type "html" in session [93.184.216.229:20480 -> 192.168.154.129:40921], exporting to extract/00000002.html
Found file of type "jpg" in session [93.184.216.229:20480 -> 192.168.154.129:40921], exporting to extract/00000003.jpg
Found file of type "jpg" in session [93.184.216.229:20480 -> 192.168.154.129:41177], exporting to extract/00000004.jpg
…
$ sudo chmod uog+rwx -R extract/

I found Andrea!

Chaosreader is another cool tool. http://www.brendangregg.com/chaosreader.html. Chaosreader will export packet capture files into an html file we can view in a browser.

$ chaosreader -D chaos packet_capture1.pcap
Chaosreader ver 0.94
Opening, packet_capture1.pcap

Reading file contents,
ERROR10: Input dosen't look like a tcpdump or snoop output file.
If it is tcpdump, it may be a wrong or new version.

$ file packet_capture1.pcap
packet_capture1.pcap: pcap-ng capture file - version 1.0

Apparently, this file is a next generation packet capture. According to the Wireshark wiki, the next generation format (pcapng) is a newer format to overcome the limited libpcap library format. I can use a utility called editcap to downgrade this file to older file format which chaosreader can open.

$ editcap -F pcap packet_capture1.pcap oldFormat.pcap
$ file oldFormat.pcap
oldFormat.pcap: tcpdump

Chaosreader can now read the file.

$ mkdir chaos
$ chaosreader -D chaos oldFormat.pcap
Chaosreader ver 0.94
Opening, oldFormat.pcap
Reading file contents,
100% (21759501/21759501)
Reassembling packets,
100% (24374/31009)
…

In this report, Chaosreader shows events such as the port scan:

Scrolling down to see the FTP brute force, we can click on the report Chaosreader generates

 

Chaosreader will also show metrics such as the count of each IP address’s appearance and the count of each TCP/UDP port’s appearance.

Xplico is a network forensics tool. Instead of trying to get it working in Kali, I downloaded an Ubuntu image with the tool already set up (I downloaded it from http://www.xplico.org/download ). After starting the VM, I’ll connect to the Xplico VM from my Kali’s browser through port 9876.

 

Xplico has a lot of features, but I really only want to look at its packet captures features in this post.

Logging in with username “xplico” password “xplico”, I can upload a .pcap file by creating a new case, a new session, and then navigating to that session.

After uploading the packet capture, I can filter different traffic like DNS, HTTP, email traffic, FTP, etc.

In the previous exercise, the user downloaded a password list from the web. We can see HTTP requests related to this.