Jump to content
Anastasis

PcapXray – GUI Network Forensics Tool To Analysis a Packet Capture Offline

Recommended Posts

Anastasis
Network Forensics Tool
 

Network Forensics Tool is often used by security professionals to test the vulnerabilities in the network. With this kali Linux tutorial, we introduce a Comprehensive tool PcapXray to analyze the pcap file.

The tool plots hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potentially malicious traffic.

 
 

The tool contains the following components

  • Network Diagram.
  • Device/Traffic Details and Analysis.
  • Malicious Traffic Identification.
  • Tor Traffic
  • GUI – a GUI with options to upload pcap file

Tutorial – Network Forensics Tool 

The packet capture tool can be called from GitHub. The tool gives security officials an initial glitch for investigation.

git clone https://github.com/Srinivas11789/PcapXray.git

 

cd PcapXray

To install the requirements: pip install -r requirements.txt

To Run : python Source/main.py

Screenshot-from-2018-03-24-12-31-11.png?

It will launch a graphical user interface and ask’s to locate the pcap file.

 

Screenshot-from-2018-03-24-12-32-52.png?

Screenshot-from-2018-03-24-12-49-29.png?

For demonstration, we have used Netflix phishing campaign’s pcap file, with this tool we can extract the web traffic, Tor traffic, Malicious traffic and other traffic details.

The analysis takes some time, after that, we get detailed report on communication, Device and Packet details.

Network Forensics ToolNetwork Forensics Tool

Network Forensics Tool

The location URL detected a Netflix Phishing page.

2018-03-22-Netflix-phish-image-02.jpg?re

Network Forensics Tool

And the Destination IP 98[.]209[.]70[.]101 is not resolvable at the time of our analysis, looks like the campaign already ended.

The tool includes following python libraries

Scapy – rdpcap to read the packets from the pcap file
Ipwhois – to obtain whois information from ip
Netaddr – to check ip information type
Pillow – image processing library
Stem – tor consensus data fetch library
pyGraphviz – plot graph
Networkx – plot graph
Matplotlib – plot graph

The author credits Srinivas P G Github.

Share this post


Link to post
Share on other sites

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα

Σύνδεση

Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    • Anastasis
      Seeker utilizes HTML5, Javascript, JQuery and PHP to grab Device Information and GeoLocation with High Accuracy. Other tools and services offer IP Geolocation which is not very accurate and does not give location of user. Generally if a user accepts location permsission, Accuracy of the information recieved is accurate to approximately 30 meters. Note : On iPhone due to some reason location accuracy is approximately 65 meters.
      It Hosts a fake website on Apache Server and uses Ngrok to generate a SSL link which asks for Location Permission and if the user allows it, we can get : Longitude Latitude Accuracy Altitude - Not always available Direction - Only available if user is moving Speed - Only available if user is moving Along with Location Information we can also get Device Information without any permissions : Operating System Platform Number of CPU Cores Amount of RAM - Approximate Results Screen Resolution GPU information Browser Name and Version Public IP Address
      Tested On : Kali Linux 2018.2 Ubuntu 18.04
      Requirements
      Supports both Python2 and Python3.
      Seeker uses common standard python modules : os time json requests subprocess
      Installation git clone https://github.com/thewhiteh4t/seeker.git cd seeker/ chmod 777 install.sh ./install.sh #After Installation just type seeker in console
      Screenshots

         
        Download Seeker
    • Anastasis
      Domain Hijacking is a well-known security issue that can be carried in many different ways. In addition to social engineering or unauthorized access to the domain owner’s account, the exploitation of neglected DNS records configured for cloud services is increasingly common. In the latter case, a threat actor (TA) can potentially take control of a subdomain configured for a disused or legacy third party cloud service allowing them to then launch a variety of attacks against your organization. Third party cloud services are an extremely common turnkey solution, used by many organizations, big and small. The configuration is simple: use the cloud service to create the resource you desire and then redirect clients from your subdomain to the third-party cloud service, using records such as CNAME or DNAME.   Abandoned domains or subdomains occur when an organization stops using a cloud service and forget to remove or update the DNS records pointing to them. Additionally, organizations may forget to re-register domain names allowing them to be purchased by anyone.   These abandoned domains and subdomains expose organizations to potential hijacking and takeover attacks.
        ARE YOU VULNERABLE TO DOMAIN HIJACKING?
    • dichvusocks
      Payment Instantly perfectmoney, bitcoin, wmtransfer, wex, ETH (Please click Buy Socks)
      Update Tools Client Dichvusocks.us http://dichvusocks.us/tools.php Link check socks http://check.dichvusocks.us/
      LIVE | 50.63.153.173:24960 | 0.15 | Arizona | 85260 | ip-50-63-153-173.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.227.5:53773 | 0.66 | Toscana | 52100 | host5-227-110-95.serverdedicati.aruba.it | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 27.116.51.76:6667 | 1.01 | Unknow | Unknow | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 91.142.208.125:40045 | 0.61 | Madrid | 28001 | tangerinrestore.vservers.es | Spain | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 37.187.4.181:443 | 0.54 | Unknow | Unknow | ks3367480.kimsufi.com | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.216.82.30:6667 | 1.02 | Gujarat | 395006 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 91.122.14.44:57684 | 0.75 | Saint Petersburg City | 190923 | ppp91-122-14-44.pppoe.avangarddsl.ru | Russian Federation | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 188.120.253.251:58832 | 0.67 | Unknow | Unknow | icecream-studio.ru | Russian Federation | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 78.155.219.48:8000 | 0.7 | Moscow City | 102487 | N/A | Russian Federation | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 78.46.140.2:443 | 0.56 | Unknow | Unknow | static.2.140.46.78.clients.your-server.de | Germany | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 46.101.165.185:8124 | 0.6 | Slough | EC2V | N/A | United Kingdom | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.229.22:44423 | 0.6 | Toscana | 52100 | www.freestyleweb.it | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 45.76.98.55:443 | 0.47 | Tokyo | 143-0006 | kolegov1.itgmail.com.nbrz.ru | Japan | Blacklist: No | Checked at http://dichvusocks.us
      LIVE | 146.252.241.88:54948 | 0.17 | Virginia | 20149 | N/A | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 150.129.171.51:6667 | 1.16 | Gujarat | 364710 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.224.30:13728 | 1.64 | Toscana | 52100 | ecommerce.eniaweb.com | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 150.129.52.75:6667 | 1.07 | Gujarat | 394601 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 119.28.191.18:7070 | 0.71 | Beijing | Unknow | N/A | China | Blacklist: Yes | Checked at http://dichvusocks.us
    • vn5socks.net
      LIVE ~ 138.197.150.166:9050 | 0.227 | Wilmington | DE | 19880 | United States | Checked at vn5socks.net
      LIVE ~ 192.169.140.162:12685 | 0.19 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 91.219.31.254:2018 | 0.297 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
      LIVE ~ 192.169.140.74:36280 | 0.194 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 95.213.130.42:8181 | 0.343 | Unknown | Unknown | Unknown | Russian Federation | Checked at vn5socks.net
      LIVE ~ 132.148.129.183:56938 | 0.391 | Minneapolis | MN | 55488 | United States | Checked at vn5socks.net
      LIVE ~ 23.94.99.87:2018 | 0.264 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 91.206.30.205:3129 | 0.29 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
      LIVE ~ 50.63.153.173:6176 | 0.188 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
      LIVE ~ 216.47.216.113:25856 | 0.258 | Dothan | AL | 36305 | United States | Checked at vn5socks.net
      LIVE ~ 192.169.138.184:35878 | 0.185 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 23.94.99.85:2018 | 0.235 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 23.95.90.229:2018 | 0.247 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 64.90.51.101:46110 | 0.151 | Brea | CA | 92821 | United States | Checked at vn5socks.net
      LIVE ~ 23.95.90.159:2018 | 0.234 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 69.89.101.16:7936 | 0.224 | Lansing | MI | 48915 | United States | Checked at vn5socks.net
      LIVE ~ 173.199.249.239:45824 | 0.268 | North Miami Beach | FL | 33160 | United States | Checked at vn5socks.net
      LIVE ~ 64.90.51.101:24190 | 0.164 | Brea | CA | 92821 | United States | Checked at vn5socks.net
       
    • shopsocks5.com
      [Shopsocks5.com] Service Socks5 Cheap
      Payment Instantly Perfectmoney, Bitcoin, Wmtransfer, BTC-E ( Please click Buy Socks )
      Check Socks Online  http://shopsocks5.com/check/




        Live | 146.252.241.88:54948 | United States | Tustin | CA | 92681 | Checked at Shopsocks5.com Live | 204.42.255.250:13264 | United States | Englewood | CO | 80111 | Checked at Shopsocks5.com Live | 94.177.170.43:6673 | Italy | Arezzo | 16 | 52100 | Checked at Shopsocks5.com Live | 78.155.219.48:8000 | Russia | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 94.177.170.43:53288 | Italy | Arezzo | 16 | 52100 | Checked at Shopsocks5.com Live | 37.187.4.181:443 | France | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 172.84.125.59:33889 | Unknown | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 98.174.90.36:14474 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 80.211.29.123:7759 | Denmark | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 42.112.20.116:7200 | Vietnam | Hanoi | 44 | Unknown | Checked at Shopsocks5.com Live | 95.213.130.42:8181 | Russia | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 94.177.170.43:32949 | Italy | Arezzo | 16 | 52100 | Checked at Shopsocks5.com Live | 91.206.30.205:3129 | Ukraine | Kiev | 12 | Unknown | Checked at Shopsocks5.com Live | 172.84.124.46:56037 | Unknown | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 185.236.36.14:2080 | Unknown | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 176.104.1.244:39445 | Ukraine | Unknown | Unknown | Unknown | Checked at Shopsocks5.com
×