Monitor and collect suspicious network traffic
Project description
RATCatcher
ratcatcher
Ratcatcher is a tool designed for monitoring and collecting suspicious socket connections, intended for use during the dyanmic analysis of malware. Optionally, it can also capture any packets exchanged during monitoring and output them to a PCAP file, for more a in-depth analysis in Wireshark.
omniserver
WIP. Omniserver is a script for replicating various types of backdoor traffic. Currently it just listens and beacons, possible updates in the future.
Basic Usage
Ratcatcher
usage: ratcatcher [-h] [-f SECONDS] [-b CYCLES] [--capture FILENAME]
[{inet,inet4,inet6,tcp,tcp4,tcp6,udp,udp4,udp6,unix,all}]
positional arguments:
{inet,inet4,inet6,tcp,tcp4,tcp6,udp,udp4,udp6,unix,all}
Type of traffic to monitor (Default: all)
options:
-h, --help show this help message and exit
-f SECONDS, --frequency SECONDS
Frequency, in seconds, to check for active connections (Default: 1.0)
-b CYCLES, --baseline CYCLES
Collect a baseline of traffic, to help filter out normal processes (Total time =
frequency*CYCLES)
--capture FILENAME Capture packets during monitoring and output to PCAP file
Examples:
ratcatcher (Monitor all traffic types)
ratcatcher --baseline 10 -f .5 --capture mypackets
ratcatcher inet6
Omniserver
usage: omniserver [-h] [-b IPADDR] [-f SECONDS] [-t SECONDS] [-d] [-u] [--msg MSG] [port]
positional arguments:
port Port to listen on/connect to (Default: RHP for listen/beacon, 53 for DNS)
options:
-h, --help show this help message and exit
-b IPADDR, --beacon IPADDR
Beacon to remote IP
-f SECONDS, --frequency SECONDS
Frequency, in seconds, to beacon remote IP
-t SECONDS, --timeout SECONDS
Timeout duration, in seconds, for beacon sockets
-d, --dns Send DNS requests
-u, --udp Use UDP protocol (Default: TCP)
--msg MSG Message to send upon successful connection
Examples:
omniserver (Listen on TCP random high port)
omniserver -b 10.10.10.1 -f 30 -u 7896
omniserver --msg 'TCP Server Test Message'
Installation
Install from PyPI
pip install ratcatcher
Known Issues & TODO
- Ratcatcher is completely unaware of outgoing UDP packets. However they're still caught in the PCAP
- Add DNS tunneling to omniserver
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ratcatcher-1.0.0.tar.gz.
File metadata
- Download URL: ratcatcher-1.0.0.tar.gz
- Upload date:
- Size: 10.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d1b9cf054e34cba23127c85380bf37d157879cc9e6da55ca013fdfedd4d706bf
|
|
| MD5 |
b29d09d038f2099ff8480219a8e31d4b
|
|
| BLAKE2b-256 |
0316c42fea56ccfaca704f7b3f1a98d4138f2100ac30fce32e9090d8e61322cb
|
File details
Details for the file ratcatcher-1.0.0-py3-none-any.whl.
File metadata
- Download URL: ratcatcher-1.0.0-py3-none-any.whl
- Upload date:
- Size: 11.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
063cb72d6d2b15ad130b7c2e8cb16bd9445e213b77efb652d4553fd170f1a1f7
|
|
| MD5 |
bf70f6bf408bc8a30c3cc9e4d13a8ec6
|
|
| BLAKE2b-256 |
f44ec6b79de2579810a89ee872c56e4bc524c7fa2933422668e2f1e78ccb88b5
|
