CapTipper is a Python tool independently developed by one of checkpoint researchers, Omri Herscovici, which is used to analyze, explore and revive HTTP malicious traffic. It provides the security researcher with easy access to the files and understanding of the network flow, and is useful for researching exploits, as well as various pre-conditions, versions, obfuscations, plugins and shellcodes.
CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
CapTipper allows the researcher to analyze the behavior of the attack, even after the original server is already “dead.” He can test the effect on a client’s plugins version, exploit mitigation tools, or get a clearer picture on what exactly would have happened to a victim machine.
When CapTipper is fed a drive-by traffic capture, it displays the request URIs that were sent as well as the meta-data of the responses. The user can then browse to http://127.0.0.1/[URI] and receive the response sent back to the browser.
In addition, an interactive shell is launched for deeper investigation using various commands such as: Hosts, Hexdump, PE info, JavaScript Beautify, Ungzip, Body, Client, Dump, and many more.
CapTipper is capable of producing informative HTML reports.
A basic principle in CapTipper’s development is to gather as many useful tools and functions as possible under its umbrella, thereby providing the researcher with more time to spend in actual research. CapTipper v0.2, which introduces many new features, was released at the Black Hat Asia 2015 Arsenal.
CapTipper is open-source.
For further reading and analysis examples, please visit the GitHub project:
http://github.com/omriher/CapTipper
CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
CapTipper allows the researcher to analyze the behavior of the attack, even after the original server is already “dead.” He can test the effect on a client’s plugins version, exploit mitigation tools, or get a clearer picture on what exactly would have happened to a victim machine.
When CapTipper is fed a drive-by traffic capture, it displays the request URIs that were sent as well as the meta-data of the responses. The user can then browse to http://127.0.0.1/[URI] and receive the response sent back to the browser.
In addition, an interactive shell is launched for deeper investigation using various commands such as: Hosts, Hexdump, PE info, JavaScript Beautify, Ungzip, Body, Client, Dump, and many more.
CapTipper is capable of producing informative HTML reports.
A basic principle in CapTipper’s development is to gather as many useful tools and functions as possible under its umbrella, thereby providing the researcher with more time to spend in actual research. CapTipper v0.2, which introduces many new features, was released at the Black Hat Asia 2015 Arsenal.
CapTipper is open-source.
For further reading and analysis examples, please visit the GitHub project:
http://github.com/omriher/CapTipper
Comments
Post a Comment