Network Traffic Analysis

Basic PCAP File Parsing

  1. require 'packetfu'
  2. packets = PacketFu::PcapFile.read_packets 'packets.pcap'

Download packets.pcap file.

Find FTP Credentials

  1. #!/usr/bin/env ruby
  2. require 'packetfu'
  4. pcap_file = ARGV[0]
  5. packets = PacketFu::PcapFile.read_packets pcap_file
  7. packets.each_with_index do |packet, i|
  8.   if packet.tcp_dport == 21
  9.     if packet.payload.match(/(USER|PASS)/)
  10.       src = [packet.ip_src].pack('N').unpack('C4').join('.')
  11.       dst = [packet.ip_dst].pack('N').unpack('C4').join('.')
  12.       puts "#{src} => #{dst}"
  13.       print packet.payload
  14.     end
  15.   end
  16. end

Returns

  1. 192.168.2.127 => 192.168.2.128
  2. USER ayoi
  3. 192.168.2.127 => 192.168.2.128
  4. PASS kambingakuilang

Download ftp.pcap file

Capturing and building PCAP file

Sometime we don’t have the time or option to install external libraries on our environment. Let’s work capture all packets on all interfaces then see how to build a pcap file to write in it.

  1. #!/usr/bin/env ruby
  2. #
  3. # KING SABRI | @KINGSABRI
  4. #
  5. require 'socket'
  7. class Pcap
  9.   def initialize(pcap_file)
  10.     @pcap_file = open(pcap_file, 'wb')
  11.     # Pcap Global https://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header
  12.     global_header = [
  13.         0xa1b2c3d4,   # magic_number: used to identify pcap files
  14.         2,            # version_major
  15.         4,            # version_minor
  16.         0,            # thiszone
  17.         0,            # sigfigs
  18.         65535,        # snaplen
  19.         1             # network (link-layer), 1 for Ethernet
  20.     ].pack('ISSIIII')
  21.     @pcap_file.write global_header
  22.   end
  24.   def write(data)
  25.     time_stamp  = Time.now.to_f.round(2).to_s.split('.').map(&:to_i)
  26.     data_length = data.length
  27.     # Pcap Record (Packet) Header: https://wiki.wireshark.org/Development/LibpcapFileFormat#Record_.28Packet.29_Header
  28.     packet_header = [
  29.         time_stamp[0],   # ts_sec timestamp seconds
  30.         time_stamp[1],   # ts_usec timestamp microseconds
  31.         data_length,     # incl_len the number of bytes of packet data actually captured
  32.         data_length      # orig_len the length of the packet as it appeared on the network when it was captured
  33.     ].pack('IIII')
  34.     record = "#{packet_header}#{data}"
  35.     @pcap_file.write(record)
  36.   rescue
  37.     @pcap_file.close
  38.   end
  39. end 
  41. pcap   = Pcap.new(ARGV[0])
  42. socket = Socket.new(Socket::PF_PACKET, Socket::SOCK_RAW, 0x03_00)
  43. loop do
  44.   raw_data = socket.recvfrom(65535)[0]
  45.   pcap.write raw_data
  46. end

<!—
http://www.behindthefirewalls.com/2014/01/extracting-files-from-network-traffic-pcap.html

http://jarmoc.com/blog/2013/05/22/bsjtf-ctf-writeup-what-in-the-name-of-zeus/

http://hamsa.cs.northwestern.edu/readings/password-cracking2/
—>

<!—

!/usr/bin/env ruby

#

https://www.youtube.com/watch?v=owsr3X453Z4

require ‘packetfu’
require ‘pp’

capture = PacketFu::Capture.new :iface => ‘mon0’, :promisc => true, :start => true

capture.stream.each do |p|

pkt = PacketFu::Packet.parse p
pp pkt
end

\

array 56

include PacketFu
packets = PcapFile.file_to_array ‘/home/KING/wireless.pcap’

packets.eachwith_index do |packet , ref|
puts “ 75
puts “Reference: #{ref}”
puts “\“ _ 75

pkt = Packet.parse(packet)
puts pkt.dissect
sleep 2

end

\

packets = PcapFile.read_packets ‘/home/KING/wireless.pcap’
packet = packets[56]
pkt = Packet.parse(packet)
puts pkt.inspect_hex

=begin
1876
1551
1550
1339
1324
459
458
=end
—->