How Pcapteller can be Used During a Training Session

Practical Example

This case will use a public PCAP file that contains an attack scenario involving an exploit kit delivering ransomware. This PCAP file describes a chain of events where host “192.168.122.70” is the victim.

Fragment of the original PCAP file with an attacker IP address and the victim (192.168.122.70)

Let’s consider an organization that would like to use such resource for a training session. The organization is interested in using its current security countermeasures and configurations in production. The production network is using a class B internal IPv4 addressing schema (172.31.0.0/16). For this example, the victim machine will become “172.31.10.11”. In this case, the following module options should be configured:

Module options prior to traffic manipulation and replay

The result of the customized traffic injected into the network is described in the screenshots below.

Running BT3’s Pcapteller module

Fragment of the manipulated PCAP file with attacker IP address and the victim (172.31.10.11)

Since Pcapteller injects the manipulated network traffic into the production network, existing security countermeasures can detect and alert about possible threats. This example shows how an Intrusion Detection System (Snort with ET GPL ruleset) would react to the manipulated traffic.

Alerts generated by Intrusion Detection System (Snort) during the execution of the example

Check out the BT3 user guide, or the Blue Team Training Toolkit Video Series for practical examples.

You can also download the Blue Team Training Toolkit and test it for yourself!