1

I have a large (8GB) packet capture (.pcap) that has generated a number of Snort alerts.

I suspect that some data may have been exfiltrated while encoded. Is there an easy way to determine if anything has gone out as Base64 encoded without having to sift through Wireshark to find the problem, perhaps using the terminal?

My worry is that an actor could conduct lateral movement within the system and extract files to a 3rd party system which wouldn't be recognized by Snort alerts.

I've tried parsing the large .pcap into 200MB files to allow closer examination (my VM has memory limitations).

user3440278
  • 33
  • 1
  • 4

2 Answers2

1

This inspired me to write pdml2flow-base64strings a plugin for pdml2flow. Using the power of pdml2flow the plugin searches in all fields known by wireshark/tshark for valid base64 encoded data. If it finds base64 strings it then decodes and prints the raw data for you. You can use the --minlength switch, if you want to limit the search only for data of a certain size. It also allows you to narrow down your search to only ascii (--ascii) or utf-8 (--utf8).

For example if you want to extract all utf-8 strings encoded in any field known by wireshark/tshark you could use pdml2flow with the plugin:

tshark -r dump.cap -Tpdml | pdml2flow +base64strings --utf8

or if you don't want flow aggregation use pdml2frame

tshark -r dump.cap -Tpdml | pdml2frame +base64strings --utf8

I hope this helps. Any input is welcome, thank you.

Disclosure: I am the author of pdml2flow and pdml2flow-base64strings

Ente
  • 2,301
  • 1
  • 16
  • 34
0

Not an easy task but you could try using tsharkon the command line.
Generated base64 payload:

echo "base64 encoded payload" | base64
YmFzZTY0IGVuY29kZWQgcGF5bG9hZAo=

Setup a listening socket:

netcat -l -p 8090

POST to it

curl -X POST -d 'YmFzZTY0IGVuY29kZWQgcGF5bG9hZAo=' http://localhost:8090                                                                                                                                 
^C

Parsing on command line after capturing with wireshark:

tshark -r ~/tmp/base64.pcapng -T fields -e http.file_data | grep -E '^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$'

Result (plus empty lines for non matches, not shown for simplicity's sake):

YmFzZTY0IGVuY29kZWQgcGF5bG9hZAo=
LMC
  • 10,453
  • 2
  • 27
  • 52