45 replies to this topic

[homes32]

G'day mates!

Introducing the all new shiny fuel efficient script....
Wireshark network/packet monitor with Winpcap library included.

Requirements:

• as of version 4 Winbuilder 077 RC1 or higher is need for some script features.
• network support in your project
• an internet connection for auto download.
• if your going to capture a lot of traffic you are going to need plenty of RAM in PE to store the data. captures can quickly reach 100+MB on large/busy networks.

This script was painstakingly made to be cross-project compatible and is confirmed working with:

• VistaPE
• LiveXP

obviously since this is a network capture utility you need network support enabled and the correct drivers installed for your hardware for this to work so please make sure this is the case BEFORE reporting any bugs.

enjoy!

-homes32

Download Here: Wireshark

Changes in v11

• Updated Wireshark to 1.2.7

full version history

[Brito]

Thank you very much for the script, I remember my own troubles to get WinPcap working so I understand and respect your effort in making this program possible for a PE environment.

I'm a wireshark fan myself, it's without doubt the best way to know what's happening when things go wrong at your LAN with no obvious reason.

[Lancelot]

Thank you
will try as soon as i can

[Lancelot]

hi homes32


I confirm with LiveXP packets capturing , thank you a loooooooot

[homes32]

Thank you very much for the script, I remember my own troubles to get WinPcap working so I understand and respect your effort in making this program possible for a PE environment.

Thanks!

I confirm with LiveXP packets capturing , thank you a loooooooot

thanks for double checking for me! Hopefully you find it useful.

[Gitarrero]

Well, I've tested your script:

- winbuilder 076; vistaPE v12 RC1
- script placed in projects > vistape-core > app > network
- OS vista business sp1; waik 1.1 installed
- wireshark 1.0.7 installed to c:\program files\wireshark
- winpcap installed to c:\program files\winpcap
-- select folder to wireshark
-- check "yes, install winpcap 4.0.2"

result: nothing happens! no icons, no folders ..

.. what can i do`?

[homes32]

Well, I've tested your script:

- winbuilder 076; vistaPE v12 RC1
- script placed in projects > vistape-core > app > network
- OS vista business sp1; waik 1.1 installed
- wireshark 1.0.7 installed to c:\program files\wireshark
- winpcap installed to c:\program files\winpcap
-- select folder to wireshark
-- check "yes, install winpcap 4.0.2"

result: nothing happens! no icons, no folders ..

.. what can i do`?

post your build log, and please wrap it in code tags.

[Gitarrero]

unfortunately i get an error .. that's why i upload the logfile

Attached Files

•  log.7z   70.51KB   619 downloads

[homes32]

unfortunately i get an error .. that's why i upload the logfile

posted log files are even better! much easier to see what is going on.

bugger. looks like I need to add some formatting checks for the path string.
will fix sometime today.
for now remove the "\" from the end of your path in the folder selection box and you should get a good build.

* Edit *

Fixed! thanks for the heads up!

[Gitarrero]

posted log files are even better! much easier to see what is going on.

.. sorry, i mean the error, that i can't post my logfile .. it seems that it's to long

well .. i've still the same problem with v3 .. there is no wireshark or winpcap-folder and no icons in my final build

i don't no why .. i have installed wireshark 1.0.7, i have installed winpcap 4.0.2 .. your script is placed in app > network .. i use vistape 12 rc1 .. the build is created successfully ..

maybe there is something else required?

[homes32]

.. sorry, i mean the error, that i can't post my logfile .. it seems that it's to long

well .. i've still the same problem with v3 .. there is no wireshark or winpcap-folder and no icons in my final build

i don't no why .. i have installed wireshark 1.0.7, i have installed winpcap 4.0.2 .. your script is placed in app > network .. i use vistape 12 rc1 .. the build is created successfully ..

maybe there is something else required?

sorry. I meant that I like your log.7z much better. it is easier to read than if you would have just pasted the text on here.
how bout posing you log after building with v3 so I can see what is going on.

from what it looked like in v2 it was doing this.

%API%,CopyProgram.... DirCopy - Copied directory [C:\Program Files\Wireshark\\*.*] to: [%BaseDir%\Target\VistaPE-Core\Programs\wireshark]

notice the trailing \ on the end of the dir to copy? that is what looks like caused your problem the 1st time. I have added code to reformat the string in v3.


it is strange that you don't have folders though, as your log says they were created.

[hectorma]

very thanks for script. This crash for me when i open this. Wireshark open and i pick in open interfaces and wireshark is closed. Is posible add cain & abel in this script?

[homes32]

very thanks for script. This crash for me when i open this. Wireshark open and i pick in open interfaces and wireshark is closed.

sounds like wireshark has an issue with your network driver. if it is winpcaps fault you should get a dialog on starting wireshark complaining about NPF driver.

Is posible add cain & abel in this script?

I have another script for cain and able, but I have not released it yet.

[hectorma]

i run in vmware. I think thaht winpcap is instaled but when i open wireshark and click in select interface it close the program. mmmm. i have creating one nez iso file. When i finish and test this post my screen when it crash.

[sanbarrow]

... in case you don't know ...

winpcap does not need a script - it can be LODRed very easily.
Use the winpcap-installer that comes with nmap - then you can simply use

winpcap-nmap-4.02.exe /S

to install it silently in a second - needs writeable X:\
IMHO this is much cleaner approach than anything you can get with a scipt.

The /S parameter only works with the winpcap setup that comes with Nmap

Ulli

[hectorma]

ok, then winpcap not is installed with script?
one script with nmap, wireshark and cain is very beatiful script

[sanbarrow]

ok, then winpcap not is installed with script?

There are several roads to Rome - personally I never bothered with using a script or plugin for any of those apps you mentioned.
I highly prefer the LODR-approach

[homes32]

ok, then winpcap not is installed with script?

winpcap is installed with the script.
your problem is likley not related to winpcap as wireshark would not start without complaining that the driver was not started. your problem is likley with the vmware drivers not being recognized.

one script with nmap, wireshark and cain is very beatiful script

I like to keep the programs in separate scripts. makes for easier updating and maintenance.

[hectorma]

ok, is posible thath winpcap driver init in vistape boot? so no need init the driver and cain and wireshark run ok.

[hectorma]

sorry because i speak but i haven´t see code script. winpcap-nmap is added in the script? it is installed automatic? I think thath if winpcap is loaded in start is posible create one script of security tools (wireshark, cain, nmap, w3af, framework metasploit, atk, etc ...) some Max Real scripts. you can select apps that you like install en iso ......

[homes32]

sorry because i speak but i haven´t see code script. winpcap-nmap is added in the script? it is installed automatic?

currently I do not use the winpcap-nmap installer. the script installs the driver and filters directly and in VistaPe it is automatically started by VistaPE Loader during the post config. watch for it to say "NetGroup Packet Filter Driver"

... in case you don't know ...

winpcap does not need a script - it can be LODRed very easily.
Use the winpcap-installer that comes with nmap - then you can simply use

winpcap-nmap-4.02.exe /S

this is very intriguing... /S doesn't work in the official installer which is why I had to include it directly in the script. I shall look into the nmap build. any idea how often it is updated? do they stick with stable releases or do they use the beta's as well? right now the code for installing winpcap is rather extensive as we have to check for the proper environment (xp and vista/win7 need different files) and make sure network support is started before the drivers can be loaded. this could make things easier.

[sanbarrow]

this is very intriguing... /S doesn't work in the official installer

I believe the folks at winpcap and those at insecure.org are close friends. Thats why only the special nmap-version still allows the /S switch
which was removed from the public winpcap-packages some time ago.
Thats why I assume Nmap uses latest stable available version in most cases.

[hectorma]

it is the error:



I use vistape v12 and windows sp1 for source.

In one or two seconds it is closed, mensage error and wireshark.

ok i add this line and probe.
Hive_Load,HKU
reg_add,0x1,"%reg%\Microsoft\Windows\CurrentVersion\RunOnceEx\zRun","NetGroup Packet Filter Driver","%CDDrive%\Programs\WinPcap\npf_mgm.exe -s"
Hive_Unload,HKU

[JonF]

I am not sure I understand ... did WireShark work with that addition?

It would not work if the program were "Run from RAM".

A more robust way would be:

[codebox]RegAddBoot,HKLM,0x1,"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\zRun","NetGroup Packet Filter Driver","%PE_Programs%\Programs\WinPcap\npf_mgm.exe -s"[/codebox] or [code]AddShortcut,AutoRun,%PE_Programs%\Programs\WinPcap\npf_mgm.exe,-s[/code]

[hectorma]

i don´t know, i have probing in this moment with
Hive_Load,HKU
reg_add,0x1,"%reg%\Microsoft\Windows\CurrentVersion\RunOnceEx\zRun","NetGroup Packet Filter Driver","%CDDrive%\Programs\WinPcap\npf_mgm.exe -s"
Hive_Unload,HKU
The program wireshark and winpcap driver run in from cd, no memory.