A proof-of-concept re-assembler for reverse VNC traffic such as IcedID & Qakbot's VNC Backdoors.
Do note that as PoC, PCAPeek offers no guarantees on backwards compatibility and might be modified in the future for additional protocols.
This utility depends on Npcap for PCAP parsing, which you likely already have installed if you have WireShark.
To download and build this utility using the Go programming language, simply...
go install github.com/0xThiebaut/PCAPeek@latestTo use PCAPeek, use the --help flag.
PCAPeek --helpPCAPeek is a tool to peek into PCAPs. It doesn't do much besides acting as a proof of concept to reconstruct reverse VNC traffic.
Usage:
PCAPeek PCAP [PCAP ...] [flags]
Flags:
--files Output clipboard files
--files-dir string The output directory for the clipboard files (default "./")
--filter string A BPF filter to apply on the PCAPs
-h, --help help for PCAPeek
--jpeg Output JPEG frames
--jpeg-dir string The output directory for the JPEG frames (default "./")
--jpeg-fps int The number of JPEG frames to output per second (default 0, outputs all frames)
--jpeg-quality int The JPEG frame quality percentage (default 100)
--mjpeg Output MJPEG videos
--mjpeg-dir string The output directory for the MJPEG videos (default "./")
--mjpeg-fps int The number of MJPEG frames to output per second (default 10)
--mjpeg-quality int The MJPEG video quality percentage (default 100)
Thanks to Brad Duncan (Malware-Traffic-Analysis.net) and Erik Hjelmvik (NETRESEC) for their extensive research on IcedID and its BackConnect protocol.