📘 BTFM - Analyst

dshell , scapy , impacket

Created: 28.09.2020

dshell

# MacOSX path to directory with pyenv (example):
/Users/[user_name]/.pyenv/versions/3.8.5/envs/python3/lib/python3.8/site-packages/dshell/

decode -l # list decoders
decode -d [decoder_name] # decoder info

# who talked to whom
decode -d ip [capture_file_name].(p)cap

# by what means (transport layer) i.e. not tcp,udp or icmp
decode -d protocol [capture_file_name].(p)cap

Analysis example 1

Downloading some (p)cap file from here. Chose some smb file smbtorture.cap.gz. This sample’s info: “Capture showing a wide range of SMB features. The capture was made using the Samba4 smbtorture suite, against a Windows Vista beta2 server.”

Analysing who talked with whom:

decode -d ip smbtorture.cap

Checking wether this files contains packets that used neither TCP, UDP or ICMP means of transport:

decode -d protocol smbtorture.cap

Result is:

<...truncated...>

[Uncommon Protocols] 2005-11-19 06:38:25  192.168.114.129:      ->       224.0.0.22:      ** PROTOCOL: IGMP (2) **
[Uncommon Protocols] 2005-11-19 06:38:25 fe80::20c:29ff:fe30:6027:      ->         ff02::16:      ** PROTOCOL: 0 (0) **
[Uncommon Protocols] 2005-11-19 06:38:26  192.168.114.129:      ->       224.0.0.22:      ** PROTOCOL: IGMP (2) **
[Uncommon Protocols] 2005-11-19 06:38:26 fe80::20c:29ff:fe30:6027:      ->         ff02::16:      ** PROTOCOL: 0 (0) **

<...truncated...>

Meaning, yes, there are other transport layer protocols in use - IGMP.

scapy

scapy
>>> rdpcap("smb-direct-man-in-the-middle-02-reassemble-frames9.pcap")
>>> pcap = rdpcap("smb-direct-man-in-the-middle-02-reassemble-frames9.pcap")

A very useful little script, print all the src addresses (no repeat):

>>> src_ips = set()
>>> for pkt in pcap:
...:     src_ips.add(pkt[IP].src)
...: 
>>> src_ips
{'192.168.0.10', '192.168.0.253'}

My modules

To study network forensics and feel more comfortable with scapy and other tools, I’ve started writing a Packet Investigator module that can be downloaded via this link. It is going to be quite primitive for some time but along with my evolvment in python and forensics it’s going to become better and better.

How to use:

# make sure scapy's installed
python packet_investigator.py [file_name].pcap [-unique_ips] [-susp_ips [suspicious_IP]]

Options:
  -unique_ips - list all IPs that are found in pcap (both src and dst), but no duplicates
  -susp_ips - list all packets, which src or dst IP is [suspicious_IP]

sqlmap

Through proxy (Burp running on localhost:8080) in order to control the attack and log all requests:

sqlmap -u <URL> --proxy=http://127.0.0.1:8080

If url is served over HTTPS, you might try chagning http -> https:

sqlmap -u <URL> --proxy=https://127.0.0.1:8080

There are two options: either type all parameters in the command, or pass the request in a file and let sqlpmap do the rest:

sqlmap --proxy=http://127.0.0.1:8080 -r r.txt --current-db

File r.txt might look something like this:

POST /login HTTP/1.1
Host: victim.com
Content-Length: 54
Accept: application/json, text/plain, */*
X-XSRF-TOKEN: 1234
X-CSRF-TOKEN: 12345
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ru;q=0.8,es;q=0.7
Cookie: XSRF-TOKEN=1234; laravel_session=1111
Connection: close

{"login":"user1","password":"111"}

arp

To view arp tables:

ifconfig # Mac and Linux
ipconfig /all # Windows
ip addr show # some routers

Routing Tables

netstat -nr # Mac or Windows
ip route show # router

tracepath
traceroute
tracert

ip and mac

ifconfig # Mac and Linux
ipconfig /all # Windows
ip addr show # some routers