Tuesday, August 4, 2015

CapTipper v0.3 is out!

The new version of CapTipper is here and it includes new and exciting features.
The most important addition being CapTippers new logo :)


Thanks to Ira Suris Gurevich for this beautiful work.

I will be presenting the new CapTipper at BlackHat Arsenal USA this week so stop by and say Hi if you're around.

Another project we are presenting at BlackHat Arsenal is the CuckooSploit, a joint effort of our entire team at Check Point. Will elaborate on this later.

It is strongly advised to read the first and second version update blog posts in order to have a better understanding of what CapTipper is all about.

I am trying to answer as many requests I can regarding new features to include in CapTipper, the most common one being a plugins infrastructure.
So here it is.

Plugins


CapTipper now supports python written plugins that implement the `ConsolePlugin` interface.
All plugins should be placed in the "/plugins/" folder and implement the 'run()' function, which is the entry point CapTipper uses.

Hello World example ("my_first_plugin.py")
from CTPlugin import ConsolePlugin

class my_first_plugin(ConsolePlugin):

    author = "Omri Herscovici"
    description = "Prints Hello World"

    def run(self, args):
        print "Hello World"
Obviously, the plugin interface has access to all the conversations and hosts datasets.

An extensive explanation and examples on how to write a plugin for CapTipper can be found here.

The main repository of CapTipper already includes some plugins for example and if you have an idea for a plugin, do implement it and send it to me or make a PULL request so I can add it to the repository in order to share new functionalities between CapTipper users.

The command 'plugin' enables the use of all loaded plugins.

CT> help plugin
Launching an external plugin (alias: p)

usage: plugin [-l] <*args>
    -l - List all available plugins

examples:
    plugin find_scripts
    plugin 1
    p find_scripts

List all available plugins:

CT> plugin -l
Loaded Plugins (3):
 0 : check_host - Checks if a given id's host is alive
 1 : find_scripts - Finds external scripts included in the object body
 2 : print_body - Prints the body of a conversation and ungzip if needed

The plugin command can be also used by its alias 'p'.
Each plugin is assigned with a unique ID, so the use of a plugin can be done either by its name or by its ID.

For example, we can use the 'check_host' plugin who has the id '0' assigned to it.
This plugin receives a conversation id as an argument and checks if the domain hosting that conversation URL is alive.
Let’s use the plugin with conversation '12':

CT> p 0 12
Checking host grannityrektonaver.co.vu
IP:PORT = 173.244.195.17:80
[-] Server is dead

Documentation


Not really a feature but definitely a useful addition to CapTipper.
The CapTipper documentation is comprehensive and details all different aspects of CapTipper.

The documentation is hosted on ReadTheDocs and can be found here

Output log


The output log is a new feature that enables recording all commands and results from the CapTipper console.

CT> output /Users/omriher/Temp/Nuclear-110615.txt
Logging to /Users/omriher/Temp/Nuclear-110615.txt

The logging only includes data from after using the 'output' command.
In order to stop logging, use 'stop' as the second argument.

CT> output stop
Stopped logging to /Users/omriher/Temp/Nuclear-110615.txt

Cuckoo PCAP analysis package


Cuckoo Sandbox is a malware analysis framework used to automatically run and analyse malicious files.
CuckooSploit is the second project we are presenting at BlackHat Arsenal, based on Cuckoo Sandbox .
CuckooSploit is an environment for comprehensive, automated analysis of web-based exploits.

By using full web emulation on different combinations of OS/browser/plugin version, CuckooSploit increases the rate of malicious URL detection and presents a reliable verdict, and in some cases, CVE detection.

Originally CuckooSploit accepted URLs, and now thanks to CapTipper, also accepts PCAP files.
The CuckooSploit integrates CapTipper into it in the form of a new Analysis Package.

The analysis package enables Cuckoo to accept PCAP files for analysis, and use CapTipper to revive them, which enables Cuckoo to produce a full flow report on what exactly happened to the machine (including the payload behavior) when infected by a malicious URL.

The analysis package will work on any Cuckoo instance, and can be found here.
CuckooSploit was developed by our team at Check Point, which also includes David Oren, Liran Englender and Ilana Marcus.
CuckooSploit is on GitHub and can be found here. The blog post about CuckooSploit will be added soon to Check Point's blog.

Using Fiddler SAZ files


There is still no support for using SAZ files in CapTipper natively, but it is possible to do so by converting Fiddler SAZ files to PCAP files using the project fiddler2pcap.
It uses the python scapy library and some of its dependencies, so it's best to do the conversion on a linux machine.
Also, layer 2 and 3 of the packets aren't created well using fiddler2pcap but it is easily fixed using tcprewrite.

I added a small bash script that converts all SAZ files in a folder to PCAPs that are readable by CapTipper (Thanks to Yaron Fruchtman).

The script can be found here.

Video Example


I made an analysis example video using CapTipper based to the PCAP files used in the two (first and second) previous blog posts regarding CapTipper.

Some more changes and bug fixes were made and can be viewed in the change log.

As always, feedback is much appreciated.

CapTipper on GitHub
omriher@gmail.com
@omriher

3 comments:

  1. Are you acquainted besides cogent time, the Swiss watches are absolutely beautiful accessories to louis vuitton replica appearance your amusing cachet and appearance taste? As everybody knows, if you firstly accommodated somebody, his/her clothing, shoes and added accessories are some affair that comes into your mind. Apparently, we are activated to anticipation someone's personality by accessories they wear. Swiss watches with absolute above and adroitness are just ones men and women can advertise the comfortable lifestyle.Owning a baroque aboriginal Swiss watch is usually in anniversary and every agog fashionista's ambition list. While, they never appear out with low amount prices back appropriate and accomplished adroitness has been paid into, authoritative absolute that they've above top quality, attention engineering, and absurd function. Besides, they betoken the amount and acclaim of the http://www.replicahandbags2u.co.uk top brands. Based on the diffuse history of their appearance houses, every Swiss alarm is a authentic section of art, forth with a adored treasure. Therefore, it seems that they are alone bound to the wealthy. For archetypal folks, they're not accommodating to pay their hard-earned money on such comfortable items. After all, for them, affluence items are no necessity, instead, they are extravagance. While, does it beggarly that they accept to carelessness the able of get amusement from affluence beauty? Absolutely not! Here we accept a abundant another to go for: Swiss replica watches. They are authentic duplicates of the aboriginal timepieces with finest materials, avant-garde movements, above alive dials, etc. Manufacturers of them put admirable affliction and adherence to replica watches aftermath every piece. What's added significant, they're absolutely cost-effective. Back they amount you alone a little atom of the banknote that you've got to pay for an aboriginal timepiece, they're basically the actual advantage for those who wish to aforementioned funds and accept a aftertaste of affluence as the identical time. There is a advanced ambit of Swiss replica watches offered in present market. They are frequently priced from $100 to $300 depending on assorted sizes and styles. You may consistently ascertain the acceptable 1 to bout your circadian outfit. Purchasing 1 isn't a arduous factor. It is accessible to breitling replica go about your bounded food or artlessly accomplish your adjustment on the internet in foreground of a claimed computer. No amount area you access from, you should consistently do accumulate in apperception to analysis the believability and acceptability of there retailers to http://www.ncpdc.org break abroad from from getting cheated. In a word, it is absolutely not abstract to say that affairs Swiss replica watches are ideal and benign investment.

    ReplyDelete
  2. Today, some houses have a commercial site in the US but not in Europe, like Swiss Watches, Baume & Mercier and Omega Watches.Many designers are Hermes Handbags in on one of the hottest trends in accessories: metallics.The Christian Dior replica handbags has been accustomed a brownish makeover.

    ReplyDelete