Kali Linux

Prepare Kali Image

This part covers basic setup of Kali Linux, you can skip this if you already have a configured installation.

Grab a fresh Kali image from: https://www.kali.org/downloads/

Be careful with old kali images where you log in as the root user, and your default shell is still bash and not zshell, you will need to adjust the commands slightly.

If you are using a virtual machine, make sure to supply sufficient resources. Maltego and Netcap are both resource intensive programs, so plan accordingly. It is possible to run on smaller files (10-50MB) and analyse simple graphs with a two core / 2GB RAM VM, but its not a pleasant experience and might crash if you run a larger set of transforms at the same time. I recommend at least 4 cores and 4-8GB RAM, but avoid allocating more than half of your host system resources.

After logging in with the default user kali and password kali, open a terminal prompt.

Set language for your keyboard (add to ~/.zshrc to persist), I've chosen the German layout here:

$ setxkbmap de

Update to latest version of Kali:

$ apt update
$ apt upgrade -y

In case you are using a VMWare machine, ensure to update open-vm-tools-desktop and fuse, so that the shared clipboard and mounting volumes works:

$ sudo apt update
$ sudo apt install -y --reinstall open-vm-tools-desktop fuse
$ sudo reboot -f

Configure any volumes you want to mount and use the script provided by the kali authors to mount it:

$ cat <<EOF | sudo tee /usr/local/sbin/mount-shared-folders
#!/bin/sh
vmware-hgfsclient | while read folder; do
  vmwpath="/mnt/hgfs/\${folder}"
  echo "[i] Mounting \${folder}   (\${vmwpath})"
  sudo mkdir -p "\${vmwpath}"
  sudo umount -f "\${vmwpath}" 2>/dev/null
  sudo vmhgfs-fuse -o allow_other -o auto_unmount ".host:/\${folder}" "\${vmwpath}"
done
sleep 2s
EOF
$ sudo chmod +x /usr/local/sbin/mount-shared-folders
$ sudo mount-shared-folders
[i] Mounting PCAPs   (/mnt/hgfs/PCAPs)

Install NETCAP

You have two options: install a binary release, or compile from source.

Install binary release

Download the latest release: https://github.com/dreadl0ck/netcap/releases

Compile from source

Install Go

I recommend to install Go via snap on debian systems, the aptitude packages are often outdated.

add the following directories as a prefix to your PATH in the ~/.zshrc file (optionally as well to /root/.zshrc):

Optional: To have the correct PATH with all binaries produced by the go compiler and netcap when using sudo as well, update the secure_path override using:

Source the rc file and verify the go compiler binary is found by the shell:

Install Dependencies

We need the libpcap development headers:

now its time to fetch the NETCAP source code and use the build scripts to compile.

You have two options again: Build with bindings for DPI or compile without.

Compiling with the DPI bindings will dynamilly load libndpi and libprotoident at runtime, and therefore these have to be installed on the system.

If you do not need the DPI functioniality for now, you can simply compile netcap without.

The scripts will also invoke setcap to give the netcap binary permissions to attach to a network interface for live capture.

Compile with DPI

This will fetch and compile libprotoident and DPI, and then compile NETCAP. The DPI libs are pretty big and compilation will take 10-20mins depending on your hardware. Time to get a coffee.

Compile without DPI

Either way, you should now have the net binary in your PATH, verify by running:

Tab completion

Run the following to install the tab completion on your system and enable it for the current shell:

To persist it, append the following at the end of your ~/.zshrc and /root/.zshrc files:

Databases

To fetch the netcap databases for data enrichment, first install the git large file storage extension:

Create the filesystem path and ensure the permissions are correct for the kali user:

Now you can use the following command to clone the latest version of the database repository from https://github.com/dreadl0ck/netcap-dbs to the correct place on the filesystem. The tool will ask for confirmation before starting the download and displays the expected file size:

Now that you have the databases, you are good to go.

Remember you can update them using the following command, from any location on the filesystem:

The databases are rebuilt from their sources daily at midnight.

You can read more about the resolvers that make use of the DBs here:

Maltego

Start Maltego, register an account for the community edition and authenticate.

Next, load the netcap configuration for Maltego, by switching to the Import | Export Tab and hit Import Config

If you installed from source, navigate to the following path and load the maltego.mtz configuration archive: /home/kali/go/src/github.com/dreadl0ck/netcap/maltego

Otherwise, just download the latest version from github.com: https://github.com/dreadl0ck/netcap/raw/master/maltego/netcap.mtz

Configuring the file type matcher preference

In order for Maltego to sucessfully detect the type of files you copy and paste into it, we need to disable using the generic maltego.Phrase matcher, because it will always match first. Select Manage Entities, search for the Phrase entity, edit it by clicking on the three little dots and deselect the shown checkbox in the Advanced Settings:

Make sure the changes are saved by hitting OK. Now you should be able to copy and paste files into Maltego as described below.

Importing PCAP or audit record files via Copy and Paste

Drag and Drop of entities does not seem possible for Maltego on Kali yet (it works on macOS), so the most convenient way to load a PCAP file into Maltego is by selecting the file in the file explorer, hit Ctrl-C or CMD-C (VMWare on macOS) to copy the path to the clipboard, and then paste that path directly into a Maltego graph.

The NETCAP configuration registered regular expressions to handle files that end on pcap or pcapng, so these should be detected as a netcap.PCAP entity automatically. The same should work as well for .ncap and .ncap.gz audit record files.

If sucessful, the imported entity should look like this:

Importing PCAP files into Maltego manually

Alternatively to importing files by copy and paste, you can add new entity of type netcap.PCAP to the graph manually, then double click it and set the mandatory field containing the path of the PCAP file on disk.

Double click the file, switch to the Properties Tab and set a name and file path:

Either way, after importing the file executing a right click should show you the following NETCAP transforms:

Running the To Audit Records [NETCAP] transform will start NETCAP to process the pcap file!

Afterwards, you should see audit records in Maltego:

Clone the exploitdb repository, so the transforms for opening them work:

Installing IDA

For the 'Open File in Disassembler' transform to open extracted binary files in the IDA dissassembler to work, we need to install IDA, or move your existing installation to the expected place on the filesystem.

To install, grab a download link from: https://hex-rays.com/ida-free/#download

At the time of this writing it is: https://out7.hex-rays.com/files/idafree76_linux.run

Next, add /usr/local/bin/ida to your PATH in ~/.zshrc:

Move the downloaded files there and source the ~/.zshrc:

Utils

Optional, but very useful to inspect data generated by netcap on the commandline are tree and batcat, you can install them with:

For example, you can inspect extracted TCP streams with ANSI colors using batcat. Everything that is colored in red has been transferred by the client, everything in blue is from the server, just like in wireshark.

Enter a directory with netcap audit records where the capture tool was executed the -conns flag (enabled by default) and run:

Tip: use batcat -A to view binary connection data in the terminal

Lets examine the tree command output to understand what files and directories are produced by NETCAP. Move into a directory that was created as output by the capture tool (-out flag, defaults to current directory) and run:

You can see there are two different file types on the top level:

• .log

Log files from different components of NETCAP, for diagnostic purposes. The main log file netcap.log always contains the log output that was written to the console when the NETCAP engine was executed.

• .ncap.gz

NETCAP audit records compressed with gzip. In order to read them, you need to use the net dump sub command, e.g:

The following directories can be generated, depending on the configuration:

• files (or custom name, provided via -fileStorage flag, default name is files)

The output directory of the files extracted from network connections, structured according to the detected content MIME type.

• tcp (generated when -conns flag is set, enabled by default)

Extracted TCP connection data, structured based on the service names obtained by looking up the used port numbers in the IANA database. Colorized with ANSI escape sequences, red is client, blue is server.

• udp (generated when -conns flag is set, enabled by default)

Extracted UDP connection data, structured based on the service names obtained by looking up the used port numbers in the IANA database. Colorized with ANSI escape sequences, red is client, blue is server.

Also codium is a nice IDE and text editor to inspect source code: