Friday, December 16, 2016

PCAP_tools. A plugin for ProcDOT to enhance your pcap viewing experiance.

ProcDOT is a malware analysis tool created by Christian Wojner (CERT.at - CERT Austria). The tool is designed to correlate Procmon logs and PCAP data. ProcDOT takes this data and lets you visualize the information in a graph loaded with useful information. It also contains a simple, yet powerful plugin engine designed to help analysts extend the capabilities of ProcDOT. More information can be found at the ProcDOT website.

I would like to introduce you to a plugin that I have been developing called PCAP_tools. Before I do that, I would like to personally thank Christian for his help and interest in the plugin. He has shown me the value of patience and letting this plugin develop into what it is before releasing it. Without further adieu, I give  you PCAP_tools (compatible with ProcDOT 1.2 at the moment)!

PCAP_tools does a couple of things for ProcDOT:
  1. It allows you to extract files from the entire pcap
  2. It allows you to extract files from a specific TCP stream
  3. It gives ProcDOT the ability to follow TCP streams without having to use another tool like Wireshark.

Lets start out with the first one, extracting files from the pcap. This can be found in the Plugins main menu.
Once selected, you are presented with a gui interface. The interface allows you to select which hash type you want for the files and where you want to save them.
Once completed, you will find the carved files in the directory you specified.


The Extract File(s) From Flow option looks the same except it will just carve files from the TCP stream specified, if there are any. This option is presented when you right click on a server node in ProcDOT.

Now, lets look at following a TCP stream and compare the plugins output to Wireshark.
From the image above we can see an option to follow TCP streams. This option is available when you right click on a server node.

If the server node does not contain flow information, one of two screens will pop up.


Lets look at a few that do contain flows.
ProcDOT output

Wireshark output
As you can see, the output pretty much looks the same. But now I am going to show you something that Wireshark does not do. Lets see how a stream looks when it is gzip encoded. First up, Wireshark.

Okey, but I still can't read it. Lets look at it in ProcDOT.


And one more example. What about if the stream is chunked?



As you can see, the plugin was still able to make the stream readable.

I hope I have demonstrated what is possible with ProcDOTs plugin engine. The PCAP_tools plugin, along with setup instructions, is available for download at https://github.com/Beercow/ProcDOT-Plugins/tree/master/PCAP_tools. Please submit any issues with the plugin on my GitHub page.