Rubyfu
Primary version
TwitterGithubNEW! Black Hat RubyBuy Me a Coffee
Search
K
Links

Network Traffic Analysis

Network Traffic Analysis

Basic PCAP File Parsing

require 'packetfu'
packets = PacketFu::PcapFile.read_packets 'packets.pcap'
Download packets.pcap file.

Find FTP Credentials

#!/usr/bin/env ruby
require 'packetfu'
pcap_file = ARGV[0]
packets = PacketFu::PcapFile.read_packets pcap_file
packets.each_with_index do |packet, i|
if packet.tcp_dport == 21
if packet.payload.match(/(USER|PASS)/)
src = [packet.ip_src].pack('N').unpack('C4').join('.')
dst = [packet.ip_dst].pack('N').unpack('C4').join('.')
puts "#{src} => #{dst}"
print packet.payload
end
end
end
Returns
192.168.2.127 => 192.168.2.128
USER ayoi
192.168.2.127 => 192.168.2.128
PASS kambingakuilang
Download ftp.pcap file

Capturing and building PCAP file

Sometime we don't have the time or option to install external libraries on our environment. Let's work capture all packets on all interfaces then see how to build a pcap file to write in it.
#!/usr/bin/env ruby
#
# KING SABRI | @KINGSABRI
#
require 'socket'
class Pcap
def initialize(pcap_file)
@pcap_file = open(pcap_file, 'wb')
# Pcap Global https://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header
global_header = [
0xa1b2c3d4, # magic_number: used to identify pcap files
2, # version_major
4, # version_minor
0, # thiszone
0, # sigfigs
65535, # snaplen
1 # network (link-layer), 1 for Ethernet
].pack('ISSIIII')
@pcap_file.write global_header
end
def write(data)
time_stamp = Time.now.to_f.round(2).to_s.split('.').map(&:to_i)
data_length = data.length
# Pcap Record (Packet) Header: https://wiki.wireshark.org/Development/LibpcapFileFormat#Record_.28Packet.29_Header
packet_header = [
time_stamp[0], # ts_sec timestamp seconds
time_stamp[1], # ts_usec timestamp microseconds
data_length, # incl_len the number of bytes of packet data actually captured
data_length # orig_len the length of the packet as it appeared on the network when it was captured
].pack('IIII')
record = "#{packet_header}#{data}"
@pcap_file.write(record)
rescue
@pcap_file.close
end
end
pcap = Pcap.new(ARGV[0])
socket = Socket.new(Socket::PF_PACKET, Socket::SOCK_RAW, 0x03_00)
loop do
raw_data = socket.recvfrom(65535)[0]
pcap.write raw_data
end
<!--

!/usr/bin/env ruby

#
require 'packetfu' require 'pp'
capture = PacketFu::Capture.new :iface => 'mon0', :promisc => true, :start => true
capture.stream.each do |p|
pkt = PacketFu::Packet.parse p pp pkt end
\

array 56

include PacketFu packets = PcapFile.file_to_array '/home/KING/wireless.pcap'
packets.eachwith_index do |packet , ref| puts "" 75 puts "Reference: #{ref}" puts "\" _ 75
pkt = Packet.parse(packet) puts pkt.dissect sleep 2
end
\
packets = PcapFile.read_packets '/home/KING/wireless.pcap' packet = packets[56] pkt = Packet.parse(packet) puts pkt.inspect_hex
=begin 1876 1551 1550 1339 1324 459 458 =end --->
Previous
Memory Forensic
Next
Parsing Log Files
Last modified 5yr ago