Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
BT3 includes Pcapteller, which is a module designed for network traffic manipulation and replay. It allows organizations to re-create a recorded network traffic scenario that occurred in a foreign network, as it really happened in their own infrastructure.
This blog post is going to cover the most fundamental aspects of Pcapteller that will get you started in no time.
Pcapteller – Designed for Network Traffic Manipulation and Replay
In a nutshell, Pcapteller reads network packets from a PCAP file, and replays them into the network. The module allows packet manipulation (MAC addresses, IP addresses, and packet payloads) prior to replay, so it is possible to customize the traffic with specific addresses and indicators that fit your environment.
The module is useful if you want to re-create scenarios where computer attacks or malware infections occurred. Using such scenarios as a base, Pcapteller will allow you to reuse existing PCAP files and make everything look like the attack is really happening in your own network. Pcapteller can help you improving your blue team’s network security monitoring skills, or creating network diversions during red team operations.
The Most Relevant Commands
- Invoking Pcapteller
The module can be invoked with “use pcapteller” directly from the BT3 command-line interface. You should note that the BT3 command prompt changes based on the current module in use.
- Module version check
The current module version can be checked with the “version” command.
- Module help overview
Pcapteller supports a range of general commands, which can be displayed with “help”.
- Module material list
PCAP files available for use can be listed with “show pcaps”. If a content subscription account is already authenticated, the command will retrieve available PCAP information from the online library. More targeted profile listing can be achieved with “show pcaps cloud”, “show pcaps disk”, “show pcaps free” and “show pcaps premium”. These commands will present all PCAP files available online, PCAP files found locally on your computer, PCAP files which can be downloaded for free, and PCAP files which can be downloaded with the use of content credits respectively.
- Material search
Available PCAP files can be easily found with the “search” command. Searches use the PCAP file name or its description as criterion.
- Material information
Detailed information about a given PCAP file can be shown with the “info” command. The expected command argument is the PCAP file to present. Note that PCAP files downloaded to your local disk will have a “.pcap” extension, while those online do not.
- Material download
Authenticated content subscription accounts will have access to the Blue Team Training Toolkit online library, with both free and premium training content. Premium online training content has a price, which will be deducted from the user’s existing content credit balance. Premium downloads require users to have enough credit balance in order to complete the download. Free online content, on the other hand, can be downloaded without restrictions. Downloading online resources can be done with the “download” command, and the material name provided as an argument.
- Material download history
The training material download history associated with your subscription account can be retrieved with “show downloads”.
- Module network interfaces overview
Available network interfaces can be displayed with the “show interfaces” command. This is useful for checking what interfaces can be used for traffic replay, without leaving the BT3 console.
- Module option list
Module options and their current values can be listed with “show options”.
- Module option configuration
Module option values can be set with the “set” command, the desired option and its new value.
- Module execution
Once all required module options have been configured with valid values, Pcapteller can begin to replay packets with the “run” command. All module options are validated prior to execution.