dshell
# MacOSX path to directory with pyenv (example):
/Users/[user_name]/.pyenv/versions/3.8.5/envs/python3/lib/python3.8/site-packages/dshell/
decode -l # list decoders
decode -d [decoder_name] # decoder info
# who talked to whom
decode -d ip [capture_file_name].(p)cap
# by what means (transport layer) i.e. not tcp,udp or icmp
decode -d protocol [capture_file_name].(p)cap
Analysis example 1
Downloading some (p)cap
file from here. Chose some smb
file smbtorture.cap.gz. This sample’s info: “Capture showing a wide range of SMB features. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server.”
Analysing who talked with whom:
decode -d ip smbtorture.cap
Checking wether this files contains packets that used neither TCP, UDP or ICMP means of transport:
decode -d protocol smbtorture.cap
Result is:
<...truncated...>
[Uncommon Protocols] 2005-11-19 06:38:25 192.168.114.129: -> 224.0.0.22: ** PROTOCOL: IGMP (2) **
[Uncommon Protocols] 2005-11-19 06:38:25 fe80::20c:29ff:fe30:6027: -> ff02::16: ** PROTOCOL: 0 (0) **
[Uncommon Protocols] 2005-11-19 06:38:26 192.168.114.129: -> 224.0.0.22: ** PROTOCOL: IGMP (2) **
[Uncommon Protocols] 2005-11-19 06:38:26 fe80::20c:29ff:fe30:6027: -> ff02::16: ** PROTOCOL: 0 (0) **
<...truncated...>
Meaning, yes, there are other transport layer protocols in use - IGMP.
scapy
scapy
>>> rdpcap("smb-direct-man-in-the-middle-02-reassemble-frames9.pcap")
>>> pcap = rdpcap("smb-direct-man-in-the-middle-02-reassemble-frames9.pcap")
A very useful little script, print all the src addresses (no repeat):
>>> src_ips = set()
>>> for pkt in pcap:
...: src_ips.add(pkt[IP].src)
...:
>>> src_ips
{'192.168.0.10', '192.168.0.253'}
My modules
To study network forensics and feel more comfortable with scapy and other tools, I’ve started writing a Packet Investigator module that can be downloaded via this link. It is going to be quite primitive for some time but along with my evolvment in python and forensics it’s going to become better and better.
How to use:
# make sure scapy's installed
python packet_investigator.py [file_name].pcap [-unique_ips] [-susp_ips [suspicious_IP]]
Options:
-unique_ips - list all IPs that are found in pcap (both src and dst), but no duplicates
-susp_ips - list all packets, which src or dst IP is [suspicious_IP]
sqlmap
Through proxy (Burp running on localhost:8080
) in order to control the attack and log all requests:
sqlmap -u <URL> --proxy=http://127.0.0.1:8080
If url is served over HTTPS, you might try chagning http -> https:
sqlmap -u <URL> --proxy=https://127.0.0.1:8080
There are two options: either type all parameters in the command, or pass the request in a file and let sqlpmap do the rest:
sqlmap --proxy=http://127.0.0.1:8080 -r r.txt --current-db
File r.txt
might look something like this:
POST /login HTTP/1.1
Host: victim.com
Content-Length: 54
Accept: application/json, text/plain, */*
X-XSRF-TOKEN: 1234
X-CSRF-TOKEN: 12345
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ru;q=0.8,es;q=0.7
Cookie: XSRF-TOKEN=1234; laravel_session=1111
Connection: close
{"login":"user1","password":"111"}
arp
To view arp tables:
ifconfig # Mac and Linux
ipconfig /all # Windows
ip addr show # some routers
Routing Tables
netstat -nr # Mac or Windows
ip route show # router
tracepath
traceroute
tracert
ip and mac
ifconfig # Mac and Linux
ipconfig /all # Windows
ip addr show # some routers