Pcapteller – Designed for Network Traffic Manipulation and Replay
In a nutshell, Pcapteller reads network packets from a PCAP file, and replays them into the network. The module allows packet manipulation (MAC addresses, IP addresses, and packet payloads) prior to replay, so it is possible to customize the traffic with specific addresses and indicators that fit your environment.
The module is useful if you want to re-create scenarios where computer attacks or malware infections occurred. Using such scenarios as a base, Pcapteller will allow you to reuse existing PCAP files and make everything look like the attack is really happening in your own network. Pcapteller can help you improving your blue team’s network security monitoring skills, or creating network diversions during red team operations.
The Most Relevant Commands
- Invoking Pcapteller
The module can be invoked with “use pcapteller” directly from the BT3 command-line interface. You should note that the BT3 command prompt changes based on the current module in use.
Pcapteller module ready for use after invocation
- Module version check
The current module version can be checked with the “version” command.
Pcapteller version command output
- Module help overview
Pcapteller supports a range of general commands, which can be displayed with “help”.
List of commands supported by the module
- Module material list
PCAP files available for use can be listed with “show pcaps”. If a content subscription account is already authenticated, the command will retrieve available PCAP information from the online library. More targeted profile listing can be achieved with “show pcaps cloud”, “show pcaps disk”, “show pcaps free” and “show pcaps premium”. These commands will present all PCAP files available online, PCAP files found locally on your computer, PCAP files which can be downloaded for free, and PCAP files which can be downloaded with the use of content credits respectively.
Example with available PCAP files on disk
Fragment of the online PCAP library
- Material search
Available PCAP files can be easily found with the “search” command. Searches use the PCAP file name or its description as criterion.
Search results presented by the module
- Material information
Detailed information about a given PCAP file can be shown with the “info” command. The expected command argument is the PCAP file to present. Note that PCAP files downloaded to your local disk will have a “.pcap” extension, while those online do not.
Details about a PCAP file found on disk
- Material download
Authenticated content subscription accounts will have access to the Blue Team Training Toolkit online library, with both free and premium training content. Premium online training content has a price, which will be deducted from the user’s existing content credit balance. Premium downloads require users to have enough credit balance in order to complete the download. Free online content, on the other hand, can be downloaded without restrictions. Downloading online resources can be done with the “download” command, and the material name provided as an argument.
Successful material download
- Material download history
The training material download history associated with your subscription account can be retrieved with “show downloads”.
Material download history
- Module network interfaces overview
Available network interfaces can be displayed with the “show interfaces” command. This is useful for checking what interfaces can be used for traffic replay, without leaving the BT3 console.
Listing available network interfaces
- Module option list
Module options and their current values can be listed with “show options”.
Module options and their current values
- Module option configuration
Module option values can be set with the “set” command, the desired option and its new value.
Setting a new option value
- Module execution
Once all required module options have been configured with valid values, Pcapteller can begin to replay packets with the “run” command. All module options are validated prior to execution.
Successful packet replay with Pcapteller