{"id":51,"date":"2017-07-01T12:23:42","date_gmt":"2017-07-01T10:23:42","guid":{"rendered":"http:\/\/itsec.andreas-klingler.de\/?p=51"},"modified":"2026-05-24T10:40:27","modified_gmt":"2026-05-24T08:40:27","slug":"howto-man-in-the-middle-attack","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=51","title":{"rendered":"Sniffing and Traffic\/Packet analysis \/ <span class=\"caps\">IDS<\/span> Intrusion Detection"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=310\" data-type=\"post\" data-id=\"310\">See also the Wire\u00adshark&nbsp;post<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PSnuffle<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Metas\u00adploit mod\u00adule; analyse the live traf\u00adfic for cre\u00adden\u00adtials of var\u00adi\u00adous protocols.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msf &gt; use auxiliary\/sniffer\/psnuffle<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">PCredz<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/lgandx\/PCredz\">PCredz<\/a> uses a <span class=\"caps\">PCAP<\/span> file and extracts hash\u00ades and oth\u00ader credentials.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pcredz -f dump.pcap<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Zeek<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/zeek\/zeek\">GitHub \u2014 zeek\/zeek: Zeek is a pow\u00ader\u00adful net\u00adwork analy\u00adsis frame\u00adwork that is much dif\u00adfer\u00adent from the typ\u00adi\u00adcal <span class=\"caps\">IDS<\/span> you may&nbsp;know.<\/a><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Pcap in pcaps-Verze\u00adich\u00adnis&nbsp;legen.<\/li>\n\n\n\n<li>Zeek in Dock\u00ader starten<\/li>\n\n\n\n<li>Analyse in logs nehmen und in <span class=\"caps\">LLM<\/span> leg\u00aden und analysieren lassen.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Dock\u00ader-Com\u00adpose:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># cat ..\/compose.yml\nservices:\n  zeek:\n    image: blacktop\/zeek:latest\n    container_name: zeek\n    restart: \"no\"\n\n    volumes:\n      - .\/pcaps:\/pcaps\n      - .\/logs:\/logs\n\n    entrypoint: \/bin\/sh\n    command:\n      - -c\n      - |\n        cd \/logs\n        zeek -C -r \/pcaps\/capture.pcapng LogAscii::use_json=T<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Guter Prompt:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Du bist ein Security Analyst.\n\nAnalysiere die folgenden Zeek-Logs aus einem PCAP\/PCAPNG auf m\u00f6gliche Sicherheitsprobleme.\n\nAchte besonders auf:\n\n- ungew\u00f6hnliche Verbindungen\n\n- Portscans\n\n- viele fehlgeschlagene Verbindungen\n\n- DNS-Auff\u00e4lligkeiten\n\n- HTTP-Klartext\n\n- verd\u00e4chtige User Agents\n\n- TLS\/SNI-Auff\u00e4lligkeiten\n\n- interne Hosts mit ungew\u00f6hnlichem Verhalten\n\n- Hinweise auf Malware, C2, Exfiltration oder Reconnaissance\n\nGib eine strukturierte Analyse aus mit:\n\n1. Kurzfazit\n\n2. Auff\u00e4lligkeiten\n\n3. Betroffene Hosts\n\n4. Schweregrad\n\n5. Begr\u00fcndung\n\n6. N\u00e4chste Untersuchungsschritte\n\nZeek-Logs:\n\n{{ $json.chatInput }}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Zed<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Arkime<\/h2>\n","protected":false},"excerpt":{"rendered":"<p>See also the Wire\u00adshark&nbsp;post PSnuf\u00adfle Metas\u00adploit mod\u00adule; analyse the live traf\u00adfic for cre\u00adden\u00adtials of var\u00adi\u00adous pro\u00adto\u00adcols. msf &gt; use auxiliary\/sniffer\/psnuffle PCredz PCredz uses a <span class=\"caps\">PCAP<\/span> file and extracts hash\u00ades and oth\u00ader cre\u00adden\u00adtials. pcredz \u2011f dump.pcap Zeek GitHub \u2014 zeek\/zeek: Zeek is a pow\u00ader\u00adful net\u00adwork analy\u00adsis frame\u00adwork that is much dif\u00adfer\u00adent from the typ\u00adi\u00adcal <span class=\"caps\">IDS<\/span>&nbsp;you&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[469,470],"tags":[15,479,190,18],"class_list":["post-51","post","type-post","status-publish","format-standard","hentry","category-passive-enum","category-active-enum","tag-man-in-the-middle","tag-pcredz","tag-psnuffle","tag-sniffing"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/51","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=51"}],"version-history":[{"count":12,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/51\/revisions"}],"predecessor-version":[{"id":4942,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/51\/revisions\/4942"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=51"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=51"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}