Network Traffic Analysis

Network Traffic Analysis
Basic PCAP File Parsing
require 'packetfu'
packets = PacketFu::PcapFile.read_packets 'packets.pcap'
Download packets.pcap file.
Find FTP Credentials
#!/usr/bin/env ruby
require 'packetfu'
​
pcap_file = ARGV[0]
packets = PacketFu::PcapFile.read_packets pcap_file
​
packets.each_with_index do |packet, i|
  if packet.tcp_dport == 21
    if packet.payload.match(/(USER|PASS)/)
      src = [packet.ip_src].pack('N').unpack('C4').join('.')
      dst = [packet.ip_dst].pack('N').unpack('C4').join('.')
      puts "#{src} => #{dst}"
      print packet.payload
    end
  end
end
Returns
192.168.2.127 => 192.168.2.128
USER ayoi
192.168.2.127 => 192.168.2.128
PASS kambingakuilang
Download ftp.pcap file
Capturing and building PCAP file
Sometime we don't have the time or option to install external libraries on our environment. Let's work capture all packets on all interfaces then see how to build a pcap file to write in it.
#!/usr/bin/env ruby
#
# KING SABRI | @KINGSABRI
#
require 'socket'
​
class Pcap
​
  def initialize(pcap_file)
    @pcap_file = open(pcap_file, 'wb')
    # Pcap Global https://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header
    global_header = [
        0xa1b2c3d4,   # magic_number: used to identify pcap files
        2,            # version_major
        4,            # version_minor
        0,            # thiszone
        0,            # sigfigs
        65535,        # snaplen
        1             # network (link-layer), 1 for Ethernet
    ].pack('ISSIIII')
    @pcap_file.write global_header
  end
​
  def write(data)
    time_stamp  = Time.now.to_f.round(2).to_s.split('.').map(&:to_i)
    data_length = data.length
    # Pcap Record (Packet) Header: https://wiki.wireshark.org/Development/LibpcapFileFormat#Record_.28Packet.29_Header
    packet_header = [
        time_stamp[0],   # ts_sec timestamp seconds
        time_stamp[1],   # ts_usec timestamp microseconds
        data_length,     # incl_len the number of bytes of packet data actually captured
        data_length      # orig_len the length of the packet as it appeared on the network when it was captured
    ].pack('IIII')
    record = "#{packet_header}#{data}"
    @pcap_file.write(record)
  rescue
    @pcap_file.close
  end
end 
​
pcap   = Pcap.new(ARGV[0])
socket = Socket.new(Socket::PF_PACKET, Socket::SOCK_RAW, 0x03_00)
loop do
  raw_data = socket.recvfrom(65535)[0]
  pcap.write raw_data
end
<!--
http://www.behindthefirewalls.com/2014/01/extracting-files-from-network-traffic-pcap.html​
​http://jarmoc.com/blog/2013/05/22/bsjtf-ctf-writeup-what-in-the-name-of-zeus/​
​http://hamsa.cs.northwestern.edu/readings/password-cracking2/
-->
<!--
!/usr/bin/env ruby
#
​https://www.youtube.com/watch?v=owsr3X453Z4​
require 'packetfu'
require 'pp'
capture = PacketFu::Capture.new :iface => 'mon0', :promisc => true, :start => true
capture.stream.each do |p|
pkt = PacketFu::Packet.parse p
pp pkt
end
\
array 56
include PacketFu
packets = PcapFile.file_to_array '/home/KING/wireless.pcap'
packets.eachwith_index do |packet , ref|
puts ""  75
puts "Reference: #{ref}"
puts "\" _ 75
pkt = Packet.parse(packet)
puts pkt.dissect
sleep 2
end
\
packets = PcapFile.read_packets '/home/KING/wireless.pcap'
packet = packets[56]
pkt = Packet.parse(packet)
puts pkt.inspect_hex
=begin
1876
1551
1550
1339
1324
459
458
=end
--->

Memory Forensic

Parsing Log Files

Last modified 4yr ago

Network Traffic Analysis

Network Traffic Analysis

Basic PCAP File Parsing

Find FTP Credentials

Capturing and building PCAP file

!/usr/bin/env ruby

​https://www.youtube.com/watch?v=owsr3X453Z4​

array 56

https://www.youtube.com/watch?v=owsr3X453Z4