BruteShark: Comprehensive Guide to a Powerful Network Forensics Analysis Tool

About BruteShark

BruteShark is a powerful Network Forensics Analysis Tool (NFAT). With the help of this tool, researchers can easily perform in-depth processing and examination of network traffic (primarily PCAP files, but it can also capture live traffic directly from network interfaces). The main features of this tool include password extraction, network mapping construction, TCP session reconstruction, and extracting encrypted password hashes. The tool’s settings also allow converting extracted encrypted password hashes to Hashcat format for brute force testing.

The main goal of the tool is to provide security solutions for security researchers and network administrators responsible for network traffic analysis, while also identifying potential network security weaknesses.

Currently, BruteShark offers two available versions: a GUI-based application (Windows) and a command-line tool (Windows and Linux).

Besides, many projects and components provided within this solution can be used independently as infrastructure for analyzing network traffic on Linux or Windows.

BruteShark Features Introduction

1. Extract and encode usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP, etc.);2. Extract authentication hashes and use Hashcat for cracking (Kerberos, NTLM, CRAM-MD5, HTTP Digest…);3. Construct visual network topology maps (including network nodes, open ports, domain users, etc.);4. Extract DNS queries;5. Reconstruct all TCP & UDP sessions;6. File splitting;7. Extract VoIP calls (SIP, RTP);

BruteShark Tool Download

BruteShark: Windows

First, we need to download and install the following dependencies:

1. Npcap driver (installed by default after installing the latest version of Wireshark);2. .NET Core Runtime

Desktop version: BruteSharkDesktop Windows Installation Package (64 Bit)

Command-line tool version: BruteSharkCli Windows 10 Executable

Linux: BruteShark

First, we need to download and install the following dependencies:

1. libpcap driver

Next, use the following command to download BruteSharkCli:

Code language: javascriptCopy

wget https://github.com/odedshimon/BruteShark/releases/latest/download/BruteSharkCli./BruteSharkCli

BruteShark Tool Usage

Using the BruteSharkDesktop desktop client is quite simple, just operate according to the illustrated interface. We mainly introduce the usage of the BruteSharkCli command-line tool.

Print help menu:

Code language: javascriptCopy

BruteSharkCli --help

Obtain credential data from all files in the directory. Passwords and hashes will be printed to stdout:

Code language: javascriptCopy

BruteSharkCli -m Credentials -d "C:\Users\King\Desktop\Pcap Files"

Obtain credential data from all files in the directory, and export extracted hashes to a Hashcat input file:

Code language: javascriptCopy

BruteSharkCli -m Credentials,NetworkMap,FileExtracting -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results

Run multiple feature modules on all files in the directory and export all results:

Code language: javascriptCopy

BruteSharkCli -m Credentials,NetworkMap,FileExtracting -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results

Sniff an interface named “Wi-Fi”, run multiple modules, and then export all results to a directory (results are only exported after pressing CTRL+C to stop sniffing):

Code language: javascriptCopy

BruteSharkCli -l Wi-Fi -m Credentials,NetworkMap,FileExtracting,DNS -o C:\Users\King\Desktop\Test Export

Tool Operation Screenshots

Hash Extraction

BruteShark

Construct Network Topology Map

BruteShark

File Splitting

Password Extraction

Reconstruct All TCP Sessions

Extract VoIP Calls

Tool Demo Videos

Build a network map:

BruteSharkCli usage example – extracting multiple passwords and hashes:

Project Address

https://github.com/odedshimon/BruteShark