PacketSifter is a tool to perform batch processing of PCAP data to uncover potential IOCs.
Simply initializePacketSifter with your desired integrations (VirusTotal, AbuseIPDB) and pass PacketSifter a pcap and the desired switches and PacketSifter will sift through the data and generate several output files.
Note Please run AbuseIPDBInitial.sh and VTInitial.sh prior to using their corresponding switches or the integrations will not work
05/27/2021
PacketSifter has been revamped to allow a more streamlined interaction with the user. Simply download the new updated packetsifter.sh, run ./packetsifter -h and learn how to properly use the new PacketSifter!
Author
Ross Burke (Twitter @packetsifter)
How it works
Simply pass PacketSifter your pcap to analyze along with your desired flags and let PacketSifter do the work for you!
Example:
[email protected]:~# ./packetsifter -i /tmp/testing.pcap -a -r -v
Command Line Options
OPTIONS:
- -a enable abuseipdb lookups of IP addresses in DNS A records
- -h print help
- -i input file [Required]
- -r resolve hostnames in pcap [Can result in DNS queries to attacker infrastructure]
- -v enable VirusTotal lookup of exported SMB/HTTP objects
Requirements
tshark - https://tshark.dev/setup/install/
Output
Currently, PacketSifter generates the following pcaps:
- http.pcap - All conversations containing port 80, 8080, or 8000
- smb.pcap - All conversations categorized by tshark dissectors as NBSS, SMB, or SMB2
- dns.pcap - All conversations categorized by tshark dissectors as DNS
- ftp.pcap - All conversations categorized by tshark dissectors as FTP
Currently, PacketSifter generates the following text files:
- IOstatistics.txt - Protocol Hierarchy and Input/Output broken up in 30 second intervals (useful to find potential beaconing)
- IPstatistics.txt - Overall stats to/from endpoints over IP and individual conversations over IP
- TCPstatistics - Overall stats to/from endpoints over TCP and individual TCP conversations broken down. <> This file can contain a large amount of information. It is recommended to use less or grep for a conversation in question.
- http_info.txt - Statistical data about HTTP conversations
- hostnamesResolved.txt (optional) - Resolved hostnames observed in pcap. <> This can result in DNS queries for attacker infrastructure. Proceed with caution!!
- SMBstatistics.txt - Stats on commands ran using smb or smb2
- dnsARecords.txt - DNS A query/responses
- dnsTXTRecords.txt - DNS TXT query/responses
- errors.txt - trash file
VirusTotal Integration output text files (all optional):
- httpHashToObject.txt - Text file containing md5 hash to object pairing for reference
- httpVTResults.txt - Text file containing results of md5 hash lookup of http objects via VirusTotal API
- smbHashToObject.txt - Text file containing md5 hash to object pairing for reference
- smbVTResults.txt - Text file containing results of md5 hash lookup of smb objects via VirusTotal API
AbuseIPDB Integration output text files (optional):
- IPLookupResults.txt - Text file containing IP Geo-location + IP reputation results
Currently, PacketSifter generates the following tar.gz files:
- httpObjects.tar.gz - HTTP objects observed in pcap. <> There could be a lot of HTTP objects and you can potentially extract malicious http objects depending on the pcap. Use with caution!!
- smbObjects.tar.gz - SMB objects observed in pcap. There could be a lot of SMB objects and you can potentially extract malicious SMB objects depending on the pcap. Use with caution!!
VirusTotal Integration
PacketSifter can now perform hash lookups via VirusTotal API of exported objects found via SMB/HTTP.
Steps to configure PacketSifter with VirusTotal integration:
-
Ensure you have jq (https://stedolan.github.io/jq/download/) installed.
[email protected]:~# apt-get install jq
-
Ensure you have curl installed.
[email protected]:~# apt-get install curl
3. Download the new version of packetsifter.sh and the new script VTInitial.sh
4. Run VTInitial.sh in the same folder as packetsifter.sh and supply your 64 character alphanumeric VirusTotal API Key when prompted
For instructions on how to obtain a free VirusTotal API Key https://developers.virustotal.com/reference
Successful output of VTInitial.sh is shown below:
5. Run PacketSifter with the -v flag to enable VirusTotal lookups of exported HTTP and SMB objects.
Successful output of VirusTotal integration and subsequent generated httpVTResults.txt / smbVTResults.txt shown below:
AbuseIPDB Integration
PacketSifter can perform IP Geo-location + IP reputation lookups of IP addresses returned in DNS A Records.
Steps to configure PacketSifter with AbuseIPDB integration:
-
Ensure you have jq (https://stedolan.github.io/jq/download/) installed.
[email protected]:~# apt-get install jq
-
Ensure you have curl installed.
[email protected]:~# apt-get install curl
3. Download the new version of packetsifter.sh and the new script AbuseIPDBInitial.sh
4. Run AbuseIPDBInitial.sh in the same folder as packetsifter.sh and supply your 80 character alphanumeric AbuseIPDB API Key when prompted.
For instructions on how to obtain a free AbuseIPDB API Key https://www.abuseipdb.com/register
**AbuseIPDB free API keys have a limit of 1000 lookups a day**
Successful output of AbuseIPDBInitial.sh is shown below:
5. Run PacketSifter with the -a flag to enable lookups on DNS A records via AbuseIPDB.
Successful output of AbuseIPDB integration and subsequent generated IPLookupResults.txt shown below:
**Confidence Score is on a 0-100 percent confidence scale**
Suggestions?
Reach out if you have suggestions as to what else you'd like sifted or what else could be useful for the tool.