BruteShark: Free Network Forensic Analysis Program to View Traffic

BruteShark is a totally free tool for Windows operating systems that will allow us to perform a network forensic analysis easily and quickly. This NFAT (Network Forensic Analysis Tool) tool allows us to perform a deep inspection and processing of network traffic, it can work with PCAP files already captured previously with programs such as WireShark, or directly capture all the information from the network interface, either wired or wireless. Today in this article we are going to show you all the characteristics of this very interesting program, and we will also show you how it works.

Main features

The main characteristics of this program is that it will allow us to perform a network forensic analysis with PCAP traffic captures, although we will also have the possibility of sniffing all the traffic from the wired or WiFi network card, however, it is compatible with WireShark because it is the world’s most widely used protocol analyzer. Other important features are that it allows you to extract passwords from data captures directly in plain text, without the need for us to have to inspect all traffic in detail, it is completely automatic. We can also build a map of the network, rebuild TCP sessions, we can extract the hashes of the encrypted passwords and even convert them to Hashcat format to later try to crack them with this program, carrying out a brute force attack or offline dictionary.

BruteShark

The primary goal of this BruteShark program is to provide a comprehensive solution for IT security researchers and network and system administrators to identify potential problems, weaknesses, threats on the local network, and other security flaws that a future attack could lead to. This program is available in two clearly different versions, we will have a version with a graphical user interface for the Windows system, and we will also have a command line version (we will run in a terminal) that is compatible with Windows and Linux operating systems. Of course, this program can be used to analyze the network traffic of Windows, Linux or macOS computers without any problem.

This program is capable of extracting and decoding user names and passwords from protocols such as HTTP, FTP, Telnet, IMAP, SMTP and many others, that is, all protocols that do not have end-to-end encryption such as HTTPS, FTPES, SSH and many others. This program is also capable of extracting the hashes and transforming them into Kerberos, NTLM, CRAM-MD5, HTTP-Digest formats and more, of course, you will be able to create a visual network diagram with the users and the different network devices, it is also capable of extracting all DNS queries that have been made (as long as DoH or DoT is not used, which is encrypted), it also allows reconstructing TCP and UDP sessions, carving files and even extracting VoIP calls if SIP protocols are used and RTP.

Once we know all the features of this program, let’s see how it works in detail.

Download and install on Windows

If you are interested in installing this program on Windows, you can download two versions:

The only prerequisite is to have WinPcap or NPcap installed, we must remember that, if you have WireShark installed, you will have installed one of both drivers. You must also install the .NET Core Runtime in order to run it.

If you are going to install this program on Linux systems, you will need to have libpcap installed, then we will execute the following commands:

find /usr/lib/x86_64-linux-gnu -type f | grep libpcap | head -1 | xargs -i sudo ln -s {} /usr/lib/x86_64-linux-gnu/libpcap.so

wget https://github.com/odedshimon/BruteShark/releases/latest/download/BruteSharkCli

./BruteSharkCli

Once installed, we proceed to execute it, we must remember that we will only have a graphical user interface in Windows operating systems, in Linux we will have to execute commands by console.

How BruteShark works

This program works in a really simple way, the first thing to do is upload a PCAP file to analyze, and then analyze the file or files that we have uploaded. We also have the ability to build TCP and UDP sessions, and even start with network data capture. If you don’t have any capture to analyze, you can use this program instead of using WireShark, export the capture in PCAP and later import it in this program. In this way, we can do it much easier with a single program.

In the left part of the program is where we can see the user credentials that are in the network traffic, they will show us both the passwords in plain text (if protocols without encryption have been used), and it will also show us the hashes if we do use of Kerberos, NTLM and the other protocols that we have discussed previously. In this section we will also be able to see the network diagram, the sessions carried out, the DNS requests, and finally we will find the possible files that it has captured and the VoIP calls if we have made any.

If we want to capture network traffic from any of the network interfaces, it is absolutely necessary to run BruteShark with administrator permissions, otherwise, we will not even get the wired and WiFi network cards that we have on our computer.

We must also bear in mind that, if we are going to use WireShark, we must export the captures in PCAP format and not PCAPNG as it happens by default, because we will get the following error. We will have two options, either use WireShark and save as PCAP, or use the tshark program through the command line.

When we open a compatible PCAP capture, then we must click on “Analyze Files” and it will begin to analyze the capture, this can take from a few seconds to a few hours, depending on the size of the capture that the BruteShark program has to analyze.

In our case we have always used DNS and HTTPS connections, therefore, it has not captured any password or password hashes by not using Kerberos or NTLM. What we can see is the network map of all the requests made.

We can also see all the sessions that have been made from our computer, with their corresponding source and destination IP address, as well as source port and destination port.

Finally, we can see all the DNS requests that have been made during the data capture, for example, our website, American Express, Interactive Brokers and many others that you can see below:

As you have seen, using this program to extract credentials, DNS requests, view the network map, sessions and even view files or information about VoIP calls is really easy to use, this same information would be obtained by viewing the capture of WireShark data, but it will take longer if we don’t use the proper filters, so BruteShark makes this a lot easier for us.