This tool is the combination of beta tool cs-parse-http-traffic.py (discontinued) and unreleased tool cs-parse-dns-traffic.py: it can decrypt and parse Cobalt Strike DNS and HTTP beacon network traffic.
By default it handles HTTP traffic. Use option -f dns to handle DNS traffic.
cs-parse-traffic_V0_0_3.zip (https)MD5: D11D64222CD77407FCEE5E6235470828
SHA256: 916B44513620FD2BB3F7263D279E8219419A87F89CDA1253011D7338896405DD
[…] have developed a tool, cs-parse-traffic, that can decrypt and parse DNS traffic and HTTP(S). Similar to what we did with encrypted HTTP […]
Pingback by Cobalt Strike: Decrypting DNS Traffic – Part 5 – NVISO Labs — Tuesday 30 November 2021 @ 10:02
Hi,
I’ve used cs-parse-http-traffic.py before and it was amazing. When I try the new tool on my PCAPs it breaks in the middle of execution.
I get an error about “HMAC signature is invalid’. Could you please suggest a solution?
Thanks,
Comment by Or — Wednesday 1 December 2021 @ 13:29
Do you use a display filter? (-Y)
Comment by Didier Stevens — Wednesday 1 December 2021 @ 14:57
[…] New Tool: cs-parse-traffic.py […]
Pingback by Week 49 – 2021 – This Week In 4n6 — Sunday 5 December 2021 @ 10:45