RawCap, a free raw sockets sniffer for Windows , main features include:
- Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
- RawCap.exe is just 17 kB
- No external libraries or DLL’s needed
- No installation required, just download RawCap.exe and sniff
- Can sniff most interface types, including WiFi and PPP interfaces
- Minimal memory and CPU load
- Reliable and simple to use
RawCap takes two arguments; the first argument is the IP address or interface number to sniff from, the second is the path/file to write the captured packets to.
You can also start RawCap without any arguments, which will leave you with an interactive dialog where you can select NIC and filename:
For Incident Responders
RawCap comes in very handy for incident responders who want to be able to sniff network traffic locally at the clients of the corporate network. Here are a few examples of how RawCap can be used for incident response:
- A company laptop somewhere on the corporate network is believed to exfiltrate sensitive coporate information to a foreign server on the Internet by using a UMTS 3G connection on a USB dongle. After finding the internal IP address on the corporate network the Incident Response Team (IRT) use the Sysinternals tool PsExec to inject RawCap.exe onto the laptop and sniff the packets being exfiltrated through the 3G connection. The generated pcap file can be used to determine what the external 3G connection was used for.
- A computer is suspected to be infected with malware that uses an SSL tunnelling proxy (stunnel) to encrypt all Command-and-Control (C&C) communication. The data that is to be sent into the tunnel is first sent unencrypted to localhost (127.0.0.1 aka loopback interface) before it enters the encrypted tunnel. Incident responders can use RawCap to sniff the traffic to/from localhost on the Windows OS, which is something other sniffing tools cannot do.
- A corporate laptop connected to the companies WPA2 encrypted WiFi is found to have suspicious TCP sessions opened to other computers on the same WiFi network. Incident responders can run RawCap locally on any of those machines in order to capture the WiFi network traffic to/from that machine in unencrypted form.
For Penetration Testers
RawCap was not designed for pen-testers, but I realize that there are some situations where the tool can come in hany when doing a penetration test. Here are some examples:
- After getting remote access and admin privileges on a Windows XP machine the pen-tester wanna sniff the network traffic of the machine in order to get hold of additional credentials. Sniffing tools like dumpcap, WinDump and NMCap can unfortunately not be used since no WinPcap or NDIS driver is installed. RawCap does, however, not need any special driver installed since it makes use of the Raw Sockets functionality built into Windows. Pen-testers can therefore run RawCap.exe to sniff traffic without installing any drivers.
- After getting admin on a box the pen-tester wanna sniff the network traffic, but box uses a WiFi network so traditional sniffing tools won’t work. This is when RawCap comes in handy, since it can sniff the WiFi traffic of the owned machine just as easily as if it had been an Ethernet NIC.
RawCap is provided for free and can be downloaded from here.