This script collects data for incident response and forensic (useful for CTF and DFIR challenges !).
This script has been written in forensic lessons and challenges for certification. It's a little script to reduce time for analysis and basic detection. Output are: the JSON report and extracted files.
Detections for suspicious activity will added in the future (check the to do list)
This package require:
- python3
- python3 Standard Library
- Scapy
python3 -m pip install scapy
git clone "https://github.com/mauricelambert/NetworkCollectDFIR.git"
cd "NetworkCollectDFIR"wget https://github.com/mauricelambert/NetworkCollectDFIR/archive/refs/heads/main.zip
unzip main.zip
cd NetworkCollectDFIR-mainpython3 network_ir_collect.py <file.pcap>- Extract SMB files and generates hashes (MD5, SHA1, SHA256)
- Extract HTTP files and generates hashes (MD5, SHA1, SHA256)
- Extract HTTP Content disposition (https://www.ietf.org/rfc/rfc2183.txt)
- Extract FTP files
- Port scan (lot of TCP connection without
ACK, statistcs are generated and reported) - HTTP bruteforce path (hacktools like
dirb,dirbuster,ffuf,gobuster, bruteforce HTTP path to discover hidden or misconfigured files) (lot of 404 error pages and lot of path, statistcs are generated and reported) - Hostname spoofing (spoof local hostname to perform MITM attack, multiples local name for an IP address, data are parsed, there is no statistics)
- ARP spoofing (multiples IP addresses for one MAC address (false positive with router), statistcs are generated and reported)
- ARP scan (lot of requests for differents IP address wihtout responses)
- Ping scan (lot of requests for differents IP address wihtout responses)
- RPC SID bruteforce
- LDAP enumeration
- SMB enumeration
- HTTP authentication bruteforce (lot of Authorization header value)
- FTP authentication bruteforce (lot of user/password value)
- Kerberos authentication bruteforce (lot of requests in short time)
- NTLM authentication bruteforce
- AS-REP roasting
- Kerberoasting
- List TCP sessions (IP addresses, ports, data size, start, end, files, ...)
- Roles detections (DNS server, LDAP server, Kerberos server, NTP server)
- Statistics by IP (how many IP contected, how many ports contacted)
- IP statistics (how many packets with IP address (as source or destination))
- TCP statistics (SYN, ACK, CLOSE, RESET)
- UDP statistics
- HTTP statistics
- RPC statistics
- WinRM statistics
- List all flux between two IP addresses
- List all TCP flux
- List all UDP flux
- List all name resolution (DNS, mDNS, LLMNR, NetBios)
- Datetime of the first packet (IP, flux between two IP addresses, TCP by destination port and IP, UDP by destination port and IP, by protocol and IP, name resolution)
- SMB informations (IP, hostname, file path, share) with datetime for the first session
- HTTP informations (host, user-agent, path (by method), status code, server, content type) with datetime for the first session
- NTP with packet datetime (to identify problems with datetime, some hacktools can generate invalid kerberos tickets by datetime mistake)
- LDAP filters (hostname, domain, Domain GUID/SID, user) with datetime for the first session
- RPC informations (machine name) with datetime for the first session
- Kerberos informations (cname, sname, address/hostname) with datetime for the first session
Licensed under the GPL, version 3.