文件列表:

LICENCE.txt (13829, 2023-05-22)
application (0, 2023-05-22)
application\factory.go (1443, 2023-05-22)
application\reverse (0, 2023-05-22)
application\reverse\factory.go (854, 2023-05-22)
application\rfb (0, 2023-05-22)
application\rfb\factory.go (1874, 2023-05-22)
application\rfb\messages.go (8520, 2023-05-22)
application\rfb\stream.go (9910, 2023-05-22)
application\stream.go (1659, 2023-05-22)
go.mod (428, 2023-05-22)
go.sum (3136, 2023-05-22)
output (0, 2023-05-22)
output\files (0, 2023-05-22)
output\files\binary (0, 2023-05-22)
output\files\binary\factory.go (345, 2023-05-22)
output\files\binary\stream.go (518, 2023-05-22)
output\files\factory.go (164, 2023-05-22)
output\files\fork (0, 2023-05-22)
output\files\fork\factory.go (375, 2023-05-22)
output\files\fork\stream.go (569, 2023-05-22)
output\media (0, 2023-05-22)
output\media\factory.go (174, 2023-05-22)
output\media\fork (0, 2023-05-22)
output\media\fork\factory.go (375, 2023-05-22)
output\media\fork\stream.go (489, 2023-05-22)
output\media\jpeg (0, 2023-05-22)
output\media\jpeg\factory.go (479, 2023-05-22)
output\media\jpeg\stream.go (1290, 2023-05-22)
output\media\mjpeg (0, 2023-05-22)
output\media\mjpeg\factory.go (480, 2023-05-22)
output\media\mjpeg\stream.go (1535, 2023-05-22)
pcapeek.go (4312, 2023-05-22)
transport (0, 2023-05-22)
transport\tcp (0, 2023-05-22)
transport\tcp\marshaller.go (3613, 2023-05-22)
transport\tcp\stream.go (2003, 2023-05-22)
... ...

# PCAPeek A proof-of-concept re-assembler for reverse VNC traffic such as [IcedID & Qakbot's VNC Backdoors](https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/). Do note that as PoC, PCAPeek offers no guarantees on backwards compatibility and might be modified in the future for additional protocols. ## Installation This utility depends on [Npcap](https://npcap.com/#download) for PCAP parsing, which you likely already have installed if you have [WireShark](https://www.wireshark.org/). To download and build this utility using the [Go programming language](https://go.dev/), simply... ```bash go install github.com/0xThiebaut/PCAPeek@latest ``` ## Usage To use PCAPeek, use the `--help` flag. ```bash PCAPeek --help ``` ``` PCAPeek is a tool to peek into PCAPs. It doesn't do much besides acting as a proof of concept to reconstruct reverse VNC traffic. Usage: PCAPeek PCAP [PCAP ...] [flags] Flags: --files Output clipboard files --files-dir string The output directory for the clipboard files (default "./") --filter string A BPF filter to apply on the PCAPs -h, --help help for PCAPeek --jpeg Output JPEG frames --jpeg-dir string The output directory for the JPEG frames (default "./") --jpeg-fps int The number of JPEG frames to output per second (default 0, outputs all frames) --jpeg-quality int The JPEG frame quality percentage (default 100) --mjpeg Output MJPEG videos --mjpeg-dir string The output directory for the MJPEG videos (default "./") --mjpeg-fps int The number of MJPEG frames to output per second (default 10) --mjpeg-quality int The MJPEG video quality percentage (default 100) ``` ## Thanks Thanks to [Brad Duncan (Malware-Traffic-Analysis.net)](https://malware-traffic-analysis.net/) and [Erik Hjelmvik (NETRESEC)](https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol) for their extensive research on IcedID and its BackConnect protocol.

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：