About BruteShark
BruteShark is a powerful network security forensics analysis tool (NFAT). With the help of this tool, the majority of researchers can easily conduct in-depth processing and review of network traffic (mainly PCAP files, but also directly capture traffic in real time from network interfaces). The main functions of the tool include password extraction, network mapping construction, TCP callback reconstruction and extraction of encrypted password hash, etc. The tool Settings can also be used to convert the extracted encrypted password hash to Hashcat format for brute force cracking tests.
The main goal of the tool is to provide security solutions for security researchers and network administrators responsible for network traffic analysis, while also identifying potential network security vulnerabilities.
Currently, BruteShark is available in two versions, a GUI-based application (Windows) and a command-line tool (Windows and Linux).
In addition, there are many projects and components in the solution that can be used as a stand-alone infrastructure to analyze Linux or Windows network traffic.
Function is introduced
1. Extract and encode user names and passwords (HTTP, FTP, Telnet, IMAP, SMTP, etc.);
Extract the authentication hash and use Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP digest…) To crack;
3. Construct visual network structure diagram (including network nodes, open ports, domain users, etc.);
4. Extract DNS query;
5. Reconstruct all TCP and UDP sessions.
6. File segmentation;
7. Extract VoIP calls (SIP and RTP);
Download tool
Windows
First, we need to download and install the following dependent components:
1. Npcap driver (Wireshark of the latest version will be installed by default)
NET Core Runtime
Desktop version: BruteSharkDesktop Windows installation package (64-bit)
Command-line tool version: BruteSharkCli Windows 10 executable
1, Network security learning route 2, electronic books (white hat) 3, security factory internal video 4, 100 SRC documents 5, common security comprehensive questions 6, CTF competition classic topic analysis 7, full kit 8, emergency response notes
Linux
First, we need to download and install the following dependent components:
1. Libpcap driver
Next, download BruteSharkCli using the following command:
wget https://github.com/odedshimon/BruteShark/releases/latest/download/BruteSharkCli
./BruteSharkCli
Copy the code
Tool use
The use of BruteSharkDesktop is relatively simple, you can operate according to the graphical interface. We mainly introduce the use of bruteshark COMMAND-LINE tool.
Print help menu:
BruteSharkCli --help
Copy the code
Get the credential data from all the files in the directory, and the password and hash will be printed to stdout:
BruteSharkCli -m Credentials -d "C:\Users\King\Desktop\Pcap Files"
Copy the code
Get the credential data from all the files in the directory and export the extracted hash to the Hashcat input file:
BruteSharkCli -m Credentials,NetworkMap,FileExtracting -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results
Copy the code
Run multiple function modules on all files in the directory and export all results:
BruteSharkCli -m Credentials,NetworkMap,FileExtracting -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results
Copy the code
Sniff an interface named “Wi-Fi”, run multiple modules, and export all the results to a directory (export results will only be generated when you press CTRL+ C to stop sniffing) :
BruteSharkCli -l Wi-Fi -m Credentials,NetworkMap,FileExtracting,DNS -o C:\Users\King\Desktop\Test Export
Copy the code
Tool Operation Screenshot
Hash extract
Construct the network structure diagram
Document segmentation
Password to extract
Example Reconstruct all TCP sessions
Retrieving VoIP Calls