nologin
main
news
code
papers
about
member
login
File2pcap 1.25 released 05/30/2017 07:45
Posted by: warlord
The folks over at Talos have a nice blog post on a much updated version of file2pcap, including a link over to their Github repo:

Blog:
http://blog.talosintelligence.com/2017/05/file2pcap.html#more

Github:
https://github.com/Cisco-Talos/file2pcap/releases

If you're using file2pcap, check out the new and much improved version.

Downtime 05/12/2016 02:24
Posted by: warlord
Nologin.org experienced some downtime and had to be restored from a really old backup. I'm in the process of updating files that went missing.

REPOST: File2pcap updated - v 1.0 05/12/2016 02:22
Posted by: warlord
Original date of post: 07/27/2015 02:38

file2pcap
v 1.0

This handy utility takes any sort of input file and creates a pcap showing this file being downloaded from a remote web server, or the file being transferred via smtp/pop3/imap. The pcap is a full tcp stream from syn to fin and all the sequence numbers and checksums are all correct.
File2pcap now also supports quoted-mime encoding(experimental), additionally to the default mime(base64) encoding.

REPOST: File2pcap updated - now supports pop3/imap/smtp 05/12/2016 02:21
Posted by: warlord
Original date of post: 12/04/2014 06:56

I just posted the updated version 0.95 of file2pcap. The tool now also creates pcaps of files being transferred as email attachments via smtp/pop3/imap., besides the original functionality of creating pcaps showing a file being downloaded from an http server.


file2pcap - written by warlord / nologin.org
Version: 0.95
Takes a file as input and creates a pcap showing a client grabbing that file from a webserver or transferring it it by email(smtp/pop3/imap).

Options:
-m mode h - http / s - smtp / p - pop3 / i - imap [default: http]
-o outfile output filename
-p port[:port] specify source and/or destination port. -p 1234:80 will show a tcp connection from port 1234 to port 80

Usage:
./file2pcap [options] infile

Example:
./file2pcap malware.pdf
./file2pcap -mshp malware.pdf
./file2pcap -mi malware.pdf -o outfile.pcap

REPOST: Poison updated to 1.5.41 05/12/2016 02:20
Posted by: warlord
Original date of post: 09/18/2014 05:34

I had to release a bugfix here. Poison 1.5.4 had a minor change in how it determines its own source IP address. As a result that code broke when scanning hostnames, or ranges of hostnames. So while poison 1.5.3 would happily scan google.com/24, version 1.5.4 would not. This has now been fixed. Don't ask how this could have possibly evaded me.