RawCap..very nice simple tool for Incident Responder

Sniffing the target under question using wireshark with winpcap installed or port mirroring for sniffing is a little headache which can very well be avoided. In a larger companies we have Regional analysts who would help us getting this done but however it takes some time to get it done.

When an incident is identified, notifying regional analyst and get the pcaps sent to us takes atleast 12 hours which is nonsense. Also its difficult for small companies where machines are spread around and you yourself has to do everything. A nice little tool of Rawcap where we can inject remotely using psexec that doesnt need any external libraries like winpcap and the best part is it is 17 KB.

E:\Security\Software\Sysinternals>rawcap 192.168.1.2 sniff.pcap
Sniffing IP : 192.168.1.2
File : sniff.pcap
Packets : 211^C

Advertisements

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, Notes. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s