RawCap sniffer for Windows released
We are today proude to denote the liberate of RawCap, which is a gratis raw sockets sniffer for Windows. Here are but about highlights of why RawCap is a bully tool to stimulate got inwards your toolset:
- Can sniff whatsoever interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
- RawCap.exe is but 17 kB
- No external libraries or DLL's needed
- No installation required, but download RawCap.exe as well as sniff
- Can sniff close interface types, including WiFi as well as PPP interfaces
- Minimal retentivity as well as CPU load
- Reliable as well as elementary to use
Usage
RawCap takes 2 arguments; the outset declaration is the IP address or interface position out to sniff from, the minute is the path/file to write the captured packets to.
C:\Tools>RawCap.exe 192.168.0.23 dumpfile.pcap
You tin dismiss also start RawCap without whatsoever arguments, which volition exit you lot amongst an interactive dialog where you lot tin dismiss select NIC as well as filename:
C:\Tools>RawCap.exe
Network interfaces:
0. 192.168.0.23 Local Area Connection
1. 192.168.0.47 Wireless Network Connection
2. 90.130.211.54 3G UMTS Internet
3. 192.168.111.1 VMware Network Adapter VMnet1
4. 192.168.222.1 VMware Network Adapter VMnet2
5. 127.0.0.1 Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP : 192.168.0.47
File : dumpfile.pcap
Packets : 1337
For Incident Responders
RawCap comes inwards rattling handy for incident responders who desire to live on able to sniff network traffic locally at the clients of the corporate network. Here are a few examples of how RawCap tin dismiss live on used for incident response:
H5N1 fellowship laptop somewhere on the corporate network is believed to exfiltrate sensitive coporate information to a unusual server on the Internet past times using a UMTS 3G connexion on a USB dongle. After finding the internal IP address on the corporate network the Incident Response Team (IRT) utilization the Sysinternals tool PsExec to inject RawCap.exe onto the laptop as well as sniff the packets existence exfiltrated through the 3G connection. The generated pcap file tin dismiss live on used to decide what the external 3G connexion was used for.
H5N1 reckoner is suspected to live on infected amongst malware that uses an SSL tunnelling proxy (stunnel) to encrypt all Command-and-Control (C&C) communication. The information that is to live on sent into the tunnel is outset sent unencrypted to localhost (127.0.0.1 aka loopback interface) earlier it enters the encrypted tunnel. Incident responders tin dismiss utilization RawCap to sniff the traffic to/from localhost on the Windows OS, which is something other sniffing tools cannot do.
H5N1 corporate laptop connected to the companies WPA2 encrypted WiFi is flora to stimulate got suspicious TCP sessions opened to other computers on the same WiFi network. Incident responders tin dismiss run RawCap locally on whatsoever of those machines inwards club to capture the WiFi network traffic to/from that car inwards unencrypted form.
For Penetration Testers
RawCap was non designed for pen-testers, but I realize that at that topographic point are but about situations where the tool tin dismiss come upward inwards hany when doing a penetration test. Here are but about examples:
After getting remote access as well as admin privileges on a Windows XP car the pen-tester wanna sniff the network traffic of the car inwards club to instruct concur of additional credentials. Sniffing tools similar dumpcap, WinDump as well as NMCap tin dismiss unfortunately non live on used since no WinPcap or NDIS driver is installed. RawCap does, however, non involve whatsoever particular driver installed since it makes utilization of the Raw Sockets functionality built into Windows. Pen-testers tin dismiss so run RawCap.exe to sniff traffic without installing whatsoever drivers.
After getting admin on a box the pen-tester wanna sniff the network traffic, but box uses a WiFi network as well as so traditional sniffing tools won't work. This is when RawCap comes inwards handy, since it tin dismiss sniff the WiFi traffic of the owned car but equally easily equally if it had been an Ethernet NIC.
Download RawCap
RawCap Downloaded
Share This :
comment 0 Comments
more_vert