NETWORK Pcap File Analysis, It was developed to speed up the processes of SOC Analysts during analysis
Tested
OK Debian
OK Ubuntu$ pip install pyshark
$ pip install dpkt
$ Wireshark
$ Tshark
$ Mergecap
$ Ngrep
$ https://github.com/emrekybs/Bryobio.git
$ cd Bryobio
$ chmod +x bryobio.py
$ python3 bryobio.py
This piece of code is a script written in Python and designed to run on Kali Linux. Here is a summary explaining what each function does:
This function runs the command it takes as input and returns its output.
This function stops the dhclient and NetworkManager services.
This function listens for network traffic using tcpdump and returns the first captured IP and MAC address. If these addresses are not captured, None returns None.
This function replaces the IP address of the specified network interface with the specified IP address and netmask.
This function replaces the MAC address of the specified network interface with the specified MAC address.
This function starts the responder tool on the specified network interface.
This function starts the tcpdump tool on the specified network interface.
This function runs the nbtscan tool in the specified IP range.
This function combines all the above functions and takes necessary information from the user to change the IP and MAC address, start the responder and tcpdump tools, and run the nbtscan tool.
All of the above code must be contained in a Python script and the script must be run with root privileges. Because this piece of code contains commands that change the network configuration and tools that listen for network traffic. These operations usually require root privileges. Also, the use of this script may be subject to the law and unauthorized use may lead to legal problems. Therefore, it is important to check local laws and policies before using the script.
In apt and Ransomware group scenarios, when they infiltrate the enterprise from the outside, it tries to bypass nac security solutions in enterprise structures. If it can achieve this, it starts to discover users in the whole network. It also listens to the network with wireshark or tcpdump. If voip is used in your structure, it can decode all calls over SIP. In the scenario I have described below, it decodes your voip calls over SIP after success.
This is a tool that aims to automatically bypass the nac bypass method at the basic level in the tool I have made. With this tool, it helps you to interpret your nac security product configuration in your organization with or without attack protection at a basic level. Example usage and explanation are as follows.
The first step is to run this tool when you connect to the inside network.
If the nac bypass is successful, listen to the network with wireshark. And here, filter the Voip calls from the #SIPFlows tab from the #Telephony tab with the data you collected over wireshark, and if the call is available instantly, you can listen to the VOIP calls according to a certain order.
The purpose of this tool and this scenario is to increase security awareness for your institutions. In addition, the perspective of an APT group has been tried to be reflected.
By Mevlรขnรข Celรขleddรฎn-i Rรปmรฎ