Skip to content
/ Hexa_Payload_Decoder Public
forked from stratosphereips/Hexa_Payload_Decoder

A Bash script to automatically decode and translate any TCP hexa payload data form any language to english.

0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

optionalg/Hexa_Payload_Decoder

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

README.md

README.md

 
 

cyberchef-decode.js

cyberchef-decode.js

 
 

googletranslator.py

googletranslator.py

 
 

payload_analyzer.log

payload_analyzer.log

 
 

payload_analyzer.sh

payload_analyzer.sh

 
 

Repository files navigation

Hexa Payload Decoder

Arcane|Transmutation

Problem Statement

When analyzing malware traffic on the network sometimes we find ourselves spending several minutes decoding the data from the hexadecimal streams. In the best case scenario we can use some tools (like Wireshark) to see this hexadecimal streams already decoded, but sometimes the decoded characters are not supported by most of the networking analyzers.

The Solution

The idea is to develop a tool aimed to extract the TCP hexadecimal data from netwrok captures filtering by a specific port provided by the user, decode it from hexadecimal and translate it from any language to english.

The workflow of the tool is the following:

  • User runs the bash script with two parameters, the pcap file to analyze and some port.
  • The bash script extracts the hexadecimal data from the TCP flows filtering by the user provided port using Tshark command.
  • The extracted hexadecimal data is passed to CyberChef decoder which uses multiple decoding techniques to get the raw data in the language it had been written.
  • The decoded data is finally passed to Google Translate python library which automatically detects the language and translate it to english.
  • The decoded and translated data is written to an output file to see the results.
  • This flow repeats for every TCP flow found in the pcap.

Help:

  • Hexadecimal decoder and translator for network analysis. usage: payload_analyzer.sh [-h] [-d hexacode] [-p pcap] [-pp pcap port] where:
    • -h - show this help text
    • -d hexacode - to decode and translate given hexadecimal code and print the results in standard output
    • -p pcap - to decode and translate all TCP data in given pcap file and write the results in logfile payload_analyzer.log
    • -t pcap port - to decode and translate all TCP data in given pcap file filtering by giving port and write the results in logfile payload_analyzer.log
    • -l pcap port datalength - to decode and translate all TCP data in given pcap file filtering by giving port and data length and writes the results in logfile payload_analyzer.log
    • -c - clean all results in logfile payload_analyzer.log

Here is the script working with some example pcap:

Suspicious_payload_example

References:

About

A Bash script to automatically decode and translate any TCP hexa payload data form any language to english.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 89.0%
  • Python 6.0%
  • JavaScript 5.0%