FTPXEROX

HoneySnap: Parse pcap data files

June 24, 2009 17:52 pm · 1 comment

by Black

in Forensics,Open Source,Security Reconnaissance,Security tools

At work, we were discussing about ways to parse pcap files. I remembered about HoneySnap. It is an effective command line utility which can parse single/multiple pcap files. This parsed data identifies significant events within the processed data. It has been brought to us by The Honeynet Project.

icon Honeynet HoneySnap: Parse pcap data files

You might think of it as something like nipper. It is not. Once the parsing is complete, you are presented with a pre-prepared menu of high value network activity, aimed at focusing manual forensic analysis and saving significant incident investigation time. After this, you can then use other tools to perform a deeper analysis.

Functionality provided by HoneySnap includes:

  • Packet and connection overview.
  • Flow extraction of ASCII based communications.
  • Protocol decode of the more common Internet communication protocols.
  • Binary file transfer extraction.
  • Flow summary of inbound and outbound connections.
  • Keystroke extraction of ver2 and ver 3 Sebek data.
  • Identification and analysis of IRC traffic, including keyword matching.
  • Socks proxy traffic stats
  • User definable filters for the counts
  • Improved DNS output
  • Fixed bug in file extraction
  • A big speed increase in gzip decoding
  • Print querying IP for DNS decodes
  • Auto-spotting of IRC traffic on any port
  • SOCKS decoding
  • Fix to the truncation of extracted files
  • Includes magicpy in the distribution to solve the problems caused by the original website going away.

Consider this, you find a pcap dump and would like to know all that it can tell you. You run HoneySnap and find the interesting bytes that can satisfy your hunger to know. As of version 1.0.6, HoneySnap supports DNS, FTP, HTTP, IRC, Socks, Sebek. The only problem is that this tool has not been updated for more than a year now. But, if you want to add more to its functionalities, you can just edit the source code & let the world know!

The feature that we liked the most is: Binary file transfer extraction. We had mentioned about FTPXerox that could extract files transferredduring a FTP session. There are smoe more programs that can do the same for TCP sessions like TcpXtract. The more you use this tool, the more you like it.

Check out the HoneySnap homepage here or, the source code here.

Searches leading to this post:
pcap analyzer, pcap parser, honeysnap all ip, best way to parse pcap files, pcap exercise top talkers by bytes flow, parsing pcap files perl, parsing many pcap files, parse a pcap file in C, extract files from ftp pcap, perl pcap analyzer

Tagged as: , , ,

1 comment

FTPXEROX – grabs files

June 24, 2009 1:00 am · 0 comments

by Black

in Security tools,Windows

Every one must be familiar with FTP (file transfer protocol). Files are transfered in clear text! We were testing IIS with ftp for common vulnerabilities. We needed something to sniff data specialy FTP and found this FTPXEROX tool its old but works.

FTPXerox grabs files that are transferred across the network using the FTP protocol. It was written to demonstrate the fact that any “clear-text” file transfer protocol is susceptible to such attacks. It implements a full end-to-end TCP re-assembly engine that watches for FTP transfers. Once the engine detects an FTP file transfer, it grabs the file off the wire and stores it in a local file. It is quite intelligent in the sense, it can reconstruct exact file names and even grab binary files! Version 1.0, however, does NOT support PASV mode file transfers.
Mostly this tool will be helpful for white hat security testers to test how to secure existing ftp setup, or, you can say that some one from the inside needs to gather some information hmm?
Requirements:
Winpcap Drivers v2.02
 
Download FTPXEROX here

Related External Links

          Tagged as: , , ,

          Be the first to comment!