PacketParser - Parsing Network Traffic Capture Files

As part of our engagements, we may compromise access to network devices that can be used to capture traffic in various network segments. These packet captures can often provide a trove of information:

• Cleartext traffic leaking credentials or sensitive information

• Lists of live IP addresses that are communicating on the network.

• Lists of network ports that are used to communicate between devices.

In some scenarios, you may not want to perform network port scans. For example, in the Singaporean Critical Infrastructure Security Showdown ("CISS") competition each year, there are penalty points for triggering IDS or other detection solutions. As such, we may want to perform a network traffic capture and parse that capture so that we do not get detected for port scanning.

After reviewing GitHub for various projects and solutions to do the same thing, we gave up and just wrote PacketParser.

Features

Unique IP address list

To obtain a list of unique IP addresses, the -oI flag is used. The flag instructs the program to make a new text file specified by the flag and store a list of unique IP addresses parsed from the capture file.

python3 packetparser.py -i <inputcapture> -oI unique-ips.txt

Unique TCP port list

To obtain a list of unique TCP ports, the -oP flag is used. The flag instructs the program to make a new text file specified by the flag and store a list of unique TCP ports parsed from the capture file.

python3 packetparser.py -i <inputcapture> -oP unique-ports.txt

Unique IP address and TCP port pairs list

To obtain a list of unique IP:ports combinations, the -o flag is used. The flag instructs the program to make a new text file specified by the flag and store a list of IP addresses to TCP port pairs parsed from the capture file.

python3 packetparser.py -i <inputcapture> -o unique-pairs.txt

Uses

You may want to obtain a list of unique IP addresses and then put it into nmap for further scanning, such as:

nmap -Pn -n -iL unique-ips.txt -oA nmap_top1000 --open

You may want to take the TCP port list to reduce the number of TCP ports further attempted and to further direct the scan towards ports that may be open, using a command such as:

nmap -Pn -n -vv -iL unique-ips.txt -oA nmap_specific -p `cat unique-ports.txt | tr '\n' ',' | sed -e 's/,$//g'`

To assess for web servers running on any of the TCP ports sniffed from the packet capture, you may utilize a tool such as Project Discovery's httpx:

cat unique-pairs.txt | httpx -status-code -follow-redirects -title -o httpx.txt

Conclusions

Parsing packet captures has never been easier, now with PacketParser at your disposal.

References

• https://github.com/vysecurity/PacketParser

• https://github.com/projectdiscovery/httpx

• https://nmap.org/