-
Notifications
You must be signed in to change notification settings - Fork 0
mxc5178/demos
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
pcap tricks + recon These are some pcap tricks that I have learned. These are only a scraching of the surface. The rabbit hole goes deeper than this ... much, much deeper. So, clear your schedule, throw on a pot of cofee and get comfortable. These demos require: python 2.7.3 dpkt: http://code.google.com/p/dpkt BeautifulSoup: http://www.crummy.com/software/BeautifulSoup/ pywhois: https://code.google.com/p/pywhois/ pygeoip: https://github.com/appliedsec/pygeoip dnslib: https://pypi.python.org/pypi/dnslib Maxmind GeoLiteCity.dat: http://www.maxmind.com/app/geolitecity shodan: https://pypi.python.org/pypi/shodan shodan API key: shodanhq.com Begin: capture some ethernet/ip traffic and name it ethernet.pcap. Put it in the same folder as parse_eth.py. Run: ./parse_eth.py You should be able to take this output and arrange it into a list of unique IP addresses (if not, there's an example list of IPs) ... name it ipaddrs.txt Once you have said list of unique IP addresses, run: ./ipwhois.py This will return a list of ASN numbers, listing the owners of the IP netblocks in your pcap. Next, run: ./geoloc.py This will return a list of latitude/longitude coordinates. This geolocation is as accurate as the free Maxmind GeoLite database ... so your mileage may vary. From this output create a colon separated list containing IP:LAT:LON ... name it geolocation.txt. Run: ./kml.py This makes a nifty KML file for Google Earth running. Open it! Back to the packet capture ... run: ./http.py Assuming that your traffic capture contains HTTP traffic (not HTTPS), you should see a list of URLS that were requested. Next, run: ./dns.py Assuming that your traffic capture contains DNS traffic, you should now see a list of DNS reqests and responses, along with the IP of the source and destination. Use your foo to extract a list of unique hosts ... name it hosts.txt. Now run: ./hostwhois.py A list of registrant names, email addresses and name servers will fly by as you watch. Yippie! More fodder. Now run: ./shdan.py This is going to make a call to shodanhq.com using their web API. You will need an API key for this. At time of writing the cost for a key was $20 USD. Pretty reasonable IMHO. Assuming you have your key, you should now see a list of IPs and the servers they are running. Extract a unique list of servers in the form of IP:SERVER and write to a file servers.txt. Good! Now run: ./exploitdb.py This will reach out to exploit-db.com and return the results of the server string search. BONUS: Tor demo that illustrates the use of Tor in python. You might want to reconfigure some of these scripts to use it. Requires: stem: https://pypi.python.org/pypi/stem/ socksipy: https://code.google.com/p/socksipy-branch/ Run: ./tordemo.py
About
Interesting python demos
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published