Skip to content
/ PcapAnalysis Public

Pcap-analyzer to automate the process of finding malicious domains that interracted with a specific IP-Victim

5 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

connar/PcapAnalysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
associatedHosts.py
associatedHosts.py
 
 
readme.md
readme.md
 
 

Repository files navigation

What is this script used for

This python script is useful when analyzing malware traffic pcaps. It's goal is to find all HTTP and HTTPS hosts that a victim IP interacted with. Once it runs through the pcap file and collects all hosts which interacted with the victim ip, it makes request to VirusTotal in order to distinguish the malicious ones with the rest. It saves the time that would take to manually search each one up but also helps the analyst in case he missed something.

Requirements

To use this script, you need to create a profile in virus total. This is because you need an apikey provided by virus total in order for the script to successfully make requests to the endpoint.

Usage

This script is run as : python3 associatedHosts.py [VictimIP] [virustotal_api_key] [pcapFile]

Example [from the BURNINCANDLE malware traffic exercise]

After this script is run upon the burnincandle exercise pcap file, it outputs the following : image

About

Pcap-analyzer to automate the process of finding malicious domains that interracted with a specific IP-Victim

Topics

tls http pcap https wireshark malicious-domains virustotal network-traffic pcap-analyzer pyshark pcap-parser networktrafficanalysis malware-traffic-analysis

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages