OWASP, Application Security Verification Standard, ASVS, 3.0, OWASP ASVS

Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.

BT3 includes Pcapteller, which is a module designed for network traffic manipulation and replay. It allows organizations to re-create a recorded network traffic scenario that occurred in a foreign network, as it really happened in their own infrastructure.

This blog post is going to cover the most fundamental aspects of Pcapteller that will get you started in no time.

Pcapteller – Designed for Network Traffic Manipulation and Replay

In a nutshell, Pcapteller reads network packets from a PCAP file, and replays them into the network. The module allows packet manipulation (MAC addresses, IP addresses, and packet payloads) prior to replay, so it is possible to customize the traffic with specific addresses and indicators that fit your environment.

The module is useful if you want to re-create scenarios where computer attacks or malware infections occurred. Using such scenarios as a base, Pcapteller will allow you to reuse existing PCAP files and make everything look like the attack is really happening in your own network. Pcapteller can help you improving your blue team’s network security monitoring skills, or creating network diversions during red team operations.

The Most Relevant Commands

  • Invoking Pcapteller
    The module can be invoked with “use pcapteller” directly from the BT3 command-line interface. You should note that the BT3 command prompt changes based on the current module in use.

Pcapteller module ready for use after invocation

  • Module version check
    The current module version can be checked with the “version” command.

Pcapteller version command output

  • Module help overview
    Pcapteller supports a range of general commands, which can be displayed with “help”.

List of commands supported by the module

  • Module material list
    PCAP files available for use can be listed with “show pcaps”. If a content subscription account is already authenticated, the command will retrieve available PCAP information from the online library. More targeted profile listing can be achieved with “show pcaps cloud”, “show pcaps disk”, “show pcaps free” and “show pcaps premium”. These commands will present all PCAP files available online, PCAP files found locally on your computer, PCAP files which can be downloaded for free, and PCAP files which can be downloaded with the use of content credits respectively.

Example with available PCAP files on disk

Fragment of the online PCAP library

  • Material search
    Available PCAP files can be easily found with the “search” command. Searches use the PCAP file name or its description as criterion.

Search results presented by the module

  • Material information
    Detailed information about a given PCAP file can be shown with the “info” command. The expected command argument is the PCAP file to present. Note that PCAP files downloaded to your local disk will have a “.pcap” extension, while those online do not.

Details about a PCAP file found on disk

  • Material download
    Authenticated content subscription accounts will have access to the Blue Team Training Toolkit online library, with both free and premium training content. Premium online training content has a price, which will be deducted from the user’s existing content credit balance. Premium downloads require users to have enough credit balance in order to complete the download. Free online content, on the other hand, can be downloaded without restrictions. Downloading online resources can be done with the “download” command, and the material name provided as an argument.

Successful material download

  • Material download history
    The training material download history associated with your subscription account can be retrieved with “show downloads”.

Material download history

  • Module network interfaces overview
    Available network interfaces can be displayed with the “show interfaces” command. This is useful for checking what interfaces can be used for traffic replay, without leaving the BT3 console.

Listing available network interfaces

  • Module option list
    Module options and their current values can be listed with “show options”.

Module options and their current values

  • Module option configuration
    Module option values can be set with the “set” command, the desired option and its new value.

Setting a new option value

  • Module execution
    Once all required module options have been configured with valid values, Pcapteller can begin to replay packets with the “run” command. All module options are validated prior to execution.

Successful packet replay with Pcapteller

Check out the BT3 user guide, or the Blue Team Training Toolkit Video Series for practical examples.

You can also download the Blue Team Training Toolkit and test it for yourself!