The new version of CapTipper is here and it includes new and exciting features.

The most important addition being CapTippers new logo 🙂

Thanks to Ira Suris Gurevich for this beautiful work.

I will be presenting the new CapTipper at BlackHat Arsenal USA this week so stop by and say Hi if you’re around.

Another project we are presenting at BlackHat Arsenal is the CuckooSploit, a joint effort of our entire team at Check Point. Will elaborate on this later.

It is strongly advised to read the first and second version update blog posts in order to have a better understanding of what CapTipper is all about.

I am trying to answer as many requests I can regarding new features to include in CapTipper, the most common one being a plugins infrastructure.

So here it is.

Plugins

CapTipper now supports python written plugins that implement the `ConsolePlugin` interface.

All plugins should be placed in the “/plugins/” folder and implement the ‘run()’ function, which is the entry point CapTipper uses.

Hello World example (“my_first_plugin.py”)

from CTPlugin import ConsolePlugin class my_first_plugin(ConsolePlugin): author = "Omri Herscovici" description = "Prints Hello World" def run(self, args): print "Hello World"

Obviously, the plugin interface has access to all the conversations and hosts datasets.

An extensive explanation and examples on how to write a plugin for CapTipper can be found here.

The main repository of CapTipper already includes some plugins for example and if you have an idea for a plugin, do implement it and send it to me or make a PULL request so I can add it to the repository in order to share new functionalities between CapTipper users.

The command ‘plugin’ enables the use of all loaded plugins.

CT> help plugin

Launching an external plugin (alias: p)



usage: plugin [-l] <*args>

-l – List all available plugins



examples:

plugin find_scripts

plugin 1

p find_scripts

List all available plugins:

CT> plugin -l

Loaded Plugins (3):

0 : check_host – Checks if a given id’s host is alive

1 : find_scripts – Finds external scripts included in the object body

2 : print_body – Prints the body of a conversation and ungzip if needed

The plugin command can be also used by its alias ‘p’.

Each plugin is assigned with a unique ID, so the use of a plugin can be done either by its name or by its ID.

For example, we can use the ‘check_host’ plugin who has the id ‘0’ assigned to it.

This plugin receives a conversation id as an argument and checks if the domain hosting that conversation URL is alive.

Let’s use the plugin with conversation ’12’:

CT> p 0 12

Checking host grannityrektonaver.co.vu

IP:PORT = 173.244.195.17:80

[-] Server is dead

Documentation

Not really a feature but definitely a useful addition to CapTipper.

The CapTipper documentation is comprehensive and details all different aspects of CapTipper.

The documentation is hosted on ReadTheDocs and can be found here

Output log

The output log is a new feature that enables recording all commands and results from the CapTipper console.

CT> output /Users/omriher/Temp/Nuclear-110615.txt

Logging to /Users/omriher/Temp/Nuclear-110615.txt

The logging only includes data from after using the ‘output’ command.

In order to stop logging, use ‘stop’ as the second argument.

CT> output stop

Stopped logging to /Users/omriher/Temp/Nuclear-110615.txt

Cuckoo PCAP analysis package

Cuckoo Sandbox is a malware analysis framework used to automatically run and analyse malicious files.

CuckooSploit is the second project we are presenting at BlackHat Arsenal, based on Cuckoo Sandbox .

CuckooSploit is an environment for comprehensive, automated analysis of web-based exploits.

By using full web emulation on different combinations of OS/browser/plugin version, CuckooSploit increases the rate of malicious URL detection and presents a reliable verdict, and in some cases, CVE detection.

Originally CuckooSploit accepted URLs, and now thanks to CapTipper, also accepts PCAP files.

The CuckooSploit integrates CapTipper into it in the form of a new Analysis Package.

The analysis package enables Cuckoo to accept PCAP files for analysis, and use CapTipper to revive them, which enables Cuckoo to produce a full flow report on what exactly happened to the machine (including the payload behavior) when infected by a malicious URL.

The analysis package will work on any Cuckoo instance, and can be found here.

CuckooSploit was developed by our team at Check Point, which also includes David Oren, Liran Englender and Ilana Marcus.

CuckooSploit is on GitHub and can be found here. The blog post about CuckooSploit will be added soon to Check Point’s blog.

Using Fiddler SAZ files

There is still no support for using SAZ files in CapTipper natively, but it is possible to do so by converting Fiddler SAZ files to PCAP files using the project fiddler2pcap.

It uses the python scapy library and some of its dependencies, so it’s best to do the conversion on a linux machine.

Also, layer 2 and 3 of the packets aren’t created well using fiddler2pcap but it is easily fixed using tcprewrite.

I added a small bash script that converts all SAZ files in a folder to PCAPs that are readable by CapTipper (Thanks to Yaron Fruchtman).

The script can be found here.

Video Example

I made an analysis example video using CapTipper based to the PCAP files used in the two (first and second) previous blog posts regarding CapTipper.

https://asciinema.org/a/23792/embed?

Some more changes and bug fixes were made and can be viewed in the change log.

As always, feedback is much appreciated.

CapTipper on GitHub

omriher@gmail.com

@omriher