ShellPcapFication (SPF) - A Sophisticated Interactive Shell Framework

Presented at ToorCon San Diego 19 (2017), Sept. 2, 2017, 2 p.m. (50 minutes).

“For someone who works with Wireshark on a daily basis, dealing with different protocols at varying layers in the OSI model, and writing custom display filters for multifarious purposes and scenarios, will soon realize that Wireshark doesn’t provide the management interface necessary to do all of that in a structured and standardized way. Thus, why I’m presenting SPF (ShellPcapFication), a shell framework that provides a sophisticated abstraction layer for TShark (console-based version of Wireshark) and Windows command shell interpreter. SPF features a custom, unique and simple declarative language called Eros that consists of only two constructs, four keywords, three Input operators, auxiliary logic, a function call operator, an INSERT statement, a specifier, and an include preprocessing directive. Additionally, a set of built-in helper commands are also provided by SPF to simplify interaction with Eros in a dynamic way. In this talk, I’ll address the internals of SPF framework, its features, how it works, how to write constructs for it, and how SPF can be used to help achieve the following: + The democratization of writing and sharing a standardized set of constructs based on Eros language + The capability to use different constructs as building blocks to form complex operations + Simplification of repetitive tasks + Rich shell functionality + Automation of Exploit Kit detection + Protocol specific features/fields extraction + Building self-contained and easy to manage self-explanatory units/constructs + Functioning as a signature detection system (based on TShark powerful protocol dissectors)”

Presenters:

  • Mohamad Mokbel
    Mohamad Mokbel is a security researcher at Trend Micro, member of the Digital Vaccine Lab. He’s responsible for reverse engineering vulnerabilities and malware C&C communication protocols, among others, for the purpose of writing custom filters for TippingPoint NGIPS. Prior to joining Trend Micro, Mohamad worked for CIBC in the security operation center, one of the top five banks in Canada as a senior information security consultant - investigator (L3) where he realized that experience in the operation field is extremely important to understand the real sides of offense and defense. Prior to CIBC, Mohamad worked for Telus Security Lab as a reverse engineer/malware researcher for about 5 years. He’s been doing reverse code engineering for last 12 years. His research interests lie in the areas of reverse code engineering, malware research, intrusion detection/prevention systems, C++, compiler and software performance analysis, information security, and exotic communication protocols. Mohamad holds a MSc. in Computer Science from the University of Windsor and BSc. in Computer Engineering from the Lebanese International University.

Links: