GitHub - execgit/CapTipper: Malicious HTTP traffic explorer

##CapTipper v0.3

Fork of https://github.com/omriher/CapTipper Original documentation: http://captipper.readthedocs.org

CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.

This is a fork of CapTipper that uses the Python interactive console instead of CTConsole. Some new features are included. Some are overlapping with the features of the current CapTipper version as the code of this fork is based on an earlier version.

>>> help
This is a normal Python shell with some special commands for your convenience.

Available commands:
convs()              show conversations
hosts()              show hosts in conversations

req(x)               show conversation x request
res(x)               show conversation x response (head and body)
head(x)              show conversation x response head
body(x)              show conversation x response body
info(x)              show conversation x infomation
hexdump(x, "xorkey") show hexdump of conversation x response body, with optional xor
dump("x filename")   dump conversation x response to filename
ungz(x)              zlib decode conversation x response (makes new object from ungz)

o(x)                 show raw object x from conversations
objdata              raw data from all objects (mainly useful for "text" in objdata etc.)
objs()               show object list
hashes(x)            show md5/sha1/sha256/sha512 hashes of object x

get_iframes(x)       searches iframes from conversation x response
iframe(y)            shows iframe y from previous search
get_scripts(x)       searches scripts from conversation x response
script(y)            shows script y from previous search

search("text", x)    searches for given text in conversation x response
regex(regexp, x)     does an arbitrary regexp search on conversation x response

beautify("text")     run any text thought jsbeautifier, eg. beautify(o(1))
p("text")            run any text through pager
b64("text")          base64 decode text

ek()                 show hits to exploit kits (ALPHA)

ids()                searchers IDS hits from pcap contents
hits()               shows hosts with IDS hits
i(z)                 shows IDS hit z where z is either conversation ID or ip:port (needs ids() invocation)

jsrun(x)             run conversation x through JS evaluation
                     retains window object and JS context
jw(x)                handle the window object, eg jw('location')
jseval(x )           evaluate x with PyV8 with new or existing context

_help                Normal python help

The jsrun, jseval and jw commands require installing PyV8 and Thugdom, a fork of Thug (https://github.com/execgit/thugdom). The IDS command set requires installing a version of Snort (https://www.snort.org/) as well as a ruleset to match packets against.

###Original Info

Written By Omri Herscovici

Please open an issue for bugs.
I would be happy to accept suggestions and feedback to my mail :)

CapTipper: http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html
Email: [omriher@gmail.com](mailto:omriher@gmail.com?Subject=CapTipper feedback)
Twitter: @omriher

Name		Name	Last commit message	Last commit date
Latest commit History 74 Commits
colorama		colorama
docs		docs
jsbeautifier		jsbeautifier
jsontemplate		jsontemplate
ordlookup		ordlookup
pcapparser		pcapparser
plugins		plugins
storage		storage
.gitignore		.gitignore
CHANGELOG		CHANGELOG
CTConsole.py		CTConsole.py
CTCore.py		CTCore.py
CTMagic.py		CTMagic.py
CTPlugin.py		CTPlugin.py
CTReport.py		CTReport.py
CapTipper.py		CapTipper.py
LICENSE		LICENSE
README.md		README.md
README.txt		README.txt
magics.csv		magics.csv
parse_pcap.py		parse_pcap.py
pefile.py		pefile.py
pescanner.py		pescanner.py
peutils.py		peutils.py
snort_pcap_test.sh		snort_pcap_test.sh
userdb.txt		userdb.txt

License

execgit/CapTipper

Folders and files

Latest commit

History

Repository files navigation

About

Resources

License

Stars

Watchers

Forks

Languages