Tuesday, April 3, 2012

CapLoader 1.0

I've been playing with a beta of this product for the past month or so.

Straight from Erik's writeup:
Here are the main features of CapLoader:
• Fast loading of multi-gigabyte PCAP files (1 GB loads in less than 2 minutes on a standard PC and even faster on multi-core machines).
• GUI presentation of all TCP and UDP flows in the loaded PCAP files.
• Automatic identification of application layer protocols without relying on port numbers.
• Extremely fast drill-down functionality to open packets from one or multiple selected flows.
• Possibility to export packets from selected flows to a new PCAP file or directly open them in external tools like Wireshark and NetworkMiner.


These were observations in the beta versions, they may have been fixed since then:

I found 2 minor glitches when testing the beta and have reported them to Erik. One he found was due to out of wack timestamps in a random pcap I'd found on the internet and the other had to do with the Empty Flows on a 750 MB file that was mostly Empty Flows. For me the Empty Flow option was just something I tested, not something I'd use in what I do on a regular basis.

Overall a very sweet and fast product. I dumped a lot of 750 MB files into it and played around with it over the course of many days in a month. I wish I could get Satori to process files this quick!

Anyway, after processing the file(s), I clicked on the flow I wanted, drag and dropped it into wireshark and got what I was after. So much easier than loading a 750 MB file into wireshark (if it would ever load in the first place and not just die) and then write filter after filter and watch it process the whole file repeatedly. Instead pick the next flow I was after and drag it into wireshark!

The protocol fingerprinting database got a large overhaul between the 2 beta's I tested. I can't say how accurate the determination is as I have not had a chance to sit down and look deeply into it, but I know it is something I want to look at closer in the future.

Microsoft Tokens, Hashes and lots more

Ok, so nothing to do with fingerprinting, but it has been very interesting reading through this series:

#1 - Protecting Privileged Domain Accounts: Safeguarding Password Hashes

#2 - Protecting Privilged Domain Accounts: LM Hashes -- The Good, the Bad, and the Ugly

#3 - Protecting Privileged Domain Accounts: Disabling Encrypted Passwords

#4 - Protecting Priviledge Domain Accounts: Safeguarding Access Tokens