Exploit Notes

Network Traffic Analysis (NTA)

Last modified: 2023-01-29


Packet Analysis

wireshark example.pcap

# Tcpdump
sudo tcpdump -i eth0 icmp
# output pcap file
sudo tcpdump -i eth0 icmp -w /tmp/tcpdump.pcap


Brim is an application to search and analyze super-structured data.

brim sample.pcap
  • Filters

    _path=="http" "example.com" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts
    # Find UserAgent in HTTP requests
    user_agent | cut _path,id.orig_h,id.resp_h,method,host,user_agent


Snort is a network intrusion detection system (NIDS) and intrusion prevention system (NIPS).

# Validate the configuration
# -c: Identify the config file
# -T: Test the configuration
sudo snort -c /etc/snort/snort.conf -T

# Sniffer mode
# -d: Dump packet data
# -e: Link-layer header grabbing
# -v: Verbose mode
sudo snort -dev
# -X: Full packet dump mode
sudo snort -X

# Logger mode
# -l: Logger mode
sudo snort -dev -l .
# -K ASCII: ASCII mode 
sudo snort -dev -K ASCII -l .

# IDS/IPS mode
# -A full: full alert mode
sudo snort -c /etc/snort/snort.conf -A full
# Using local rules
sudo snort -c /etc/snort/rules/local.rules -A full
# -q: Quiet mode
# --daq: Data aquisition
# -i: Listen on interface <if>
sudo snort -c local.rules -q --daq afpacket -i eth0:eth1 -A full
# Wait until packets receiving, the file will be dumped.

# Read generated logs
sudo snort -r snort.log.xxxxxxxx
# Filters
sudo snort -r snort.log.xxxxxxxx -X
sudo snort -r snort.log.xxxxxxxx tcp
sudo snort -r snort.log.xxxxxxxx 'udp and port 53'

# Investigate pcap file
# -n: The first N packets
sudo snort -c /etc/snort/snort.conf -q -r example.pcap -A full -n 10
# --pcap-list: Multiple pcap files
sudo snort -c /etc/snort/snort.conf -q --pcap-list="example.pcap example2.pcap" -A full -n 10
  • Modify rules

    We can edit /etc/snort/rules/local.rules or our custom local.rules in another directory.

    sudo vim /etc/snort/rules/local.rules

    Below is the example rules.

    # ICMP
    alert icmp any any <> any any (msg:"ICMP Packet Found"; sid:1000001; rev:1;)
    # Drop
    drop tcp any any -> any any (sid:1000005;)

Detect a Type of Malware

  1. Extract files from PCAP.

    1. Open target pcap file on Wireshark.
    2. Select "File" -> "Export Options" -> "HTTP..."
    3. Save the target file.
  2. Get the MD5 hash.

    md5sum suspicious.exe
  3. Search on VirusTotal using the MD5 hash.

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.