Cyber security

Karton-Pcap-Miner: Streamlining Network Indicator Extraction from PCAPs

Karton-Pcap-Miner is a strong program that quickly pulls network indicators from analysis PCAP files.” It works with MWDB without any problems to add these indicators as attributes, which makes cybersecurity research better. You can use it with complicated network data because it has tools for HTTP, TCP, SNI, and DNS built in. Professionals who want to speed up the processes of network analysis and signal extraction must have this tool.

Extract network indicators from analysis PCAPs and add push them to MWDB as attributes.

Example analysis results in MWDB

Prerequisites

  • tshark (apt install tshark)
  • karton-core

Built-in analyzers

  • http
    • contacted http(s) URLs, example: http://305friend.caesarsgroup.top/_errorpages/305friend/five/fre.php
  • tcp
    • contacted tcp hosts (including destination port), example: 104.21.1.61:80
  • sni
    • server names extracted from TLS handshakes (including destination port), example: 305friend.caesarsgroup.top:443
  • dns
    • DNS queries, example: 305friend.caesarsgroup.top

Configuration

The default configuration uses the following configuration. You should modify it to suit your own instance if you’re deploying the services on your own infrastructure.

[pcap-miner]
vm_ip_range=10.0.0.0/8
max_results=24
ignore_list=

Read the karton documentation to learn how to configure services in your own deployment.

VM IP range

Set the vm_ip_range value to specify the range of IP addresses used by VMs. This is used to detect the outgoing direction in network connections.

Max results

Some samples may purposely generate a huge number of TCP/DNS connections. The max_results configures the maximum number of results reported for a given analyzer. If The number exceeds the configured value, no values are reported at all. Set to -1 to always report all results.

Indicator ignorelist

In some cases you don’t really want to report some of the indicators that come up in almost all PCAPs. Things like OCSP, UPNP, telemetry appears very frequently and doesn’t provide any analytic value per se.

You can configure the ignored values for each analyzer using the ignore_list configuration value. It should point to a JSON file containing the excluded values:

{
    "network-http": ["http://239.255.255.250:1900*","http://[FF02::C]:1900*"],
    "network-tcp": [],
    "network-sni": ["google.com:443"],
    "network-dns": ["teredo.ipv6.microsoft.com","isatap","dns.msftncsi.com","wpad"]
}
Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a Comment
Share
Published by
Tamil S
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtools
6 months ago

Recent Posts

The Arsenal : A Comprehensive Guide To Anti-Forensic Tools And Techniques

Tools and packages that are used for countering forensic activities, including encryption, steganography, and anything…

6 hours ago

AvillaForensics 3.6 – Redefining Digital Forensics

Avilla Forensics is located in first place in the award international Forensics 4:Cast, in the…

6 hours ago

Estensioni Chrome OSINT : Harnessing The Power Of Google Chrome For Open-Source Intelligence

Comprehensive guide to leveraging Google Chrome's extensions for Open-Source Intelligence (OSINT) tasks. In this article,…

6 hours ago

Analisi-Digital-Forense : Un’Esplorazione Delle Distribuzioni Linux E Delle Tecniche Forensi Digitali

Embark on a journey into the realm of digital forensics with our exploration of 'Analisi-Digital-Forense.…

6 hours ago

OSINT-FORENSICS-MOBIL E: The Digital Trails With A Comprehensive Guide

The intersection of intelligence, investigation, and mobility. In this comprehensive guide, we delve into the…

6 hours ago

Tookie-osint : A Powerful Tool For OSINT Enthusiasts

Tookie-osint has a simple-to-use UI and is really straightforward. The main idea of Tookie-osint is…

1 day ago