ToorCon 19 - Mohamad Mokbel - ShellPcapFication (SPF) – A Sophisticated Interactive Shell Framework
Mohamad Mokbel - ShellPcapFication (SPF) – A Sophisticated Interactive Shell Framework
“For someone who works with Wireshark on a daily basis, dealing with different protocols at varying layers in the OSI model, and writ- ing custom display filters for multifarious purposes and scenarios, will soon realize that Wireshark doesn’t provide the management inter- face necessary to do all of that in a structured and standardized way. Thus, why I’m presenting SPF (ShellPcapFication), a shell framework that provides a sophisticated abstraction layer for TShark (console- based version of Wireshark) and Windows command shell interpreter. SPF features a custom, unique and simple declarative language called Eros that consists of only two constructs, four keywords, three Input operators, auxiliary logic, a function call operator, an INSERT state- ment, a specifier, and an include preprocessing directive. Additionally, a set of built-in helper commands are also provided by SPF to simplify interaction with Eros in a dynamic way.
In this talk, I’ll address the internals of SPF framework, its features, how it works, how to write constructs for it, and how SPF can be used to help achieve the following:
The democratization of writing and sharing a standardized set of constructs based on Eros language
The capability to use different constructs as building blocks to form complex operations
Simplification of repetitive tasks
Rich shell functionality
Automation of Exploit Kit detection
Protocol specific features/fields extraction
Building self-contained and easy to manage self-explanatory units/constructs
Functioning as a signature detection system (based on TShark powerful protocol
dissectors)”
