TCP flow analyzer with sugar for Attack/Defense CTF
What is it?
Flower is an automatic packet analyzer made by Ca' Foscari University team for the CyberChallenge attack/defense CTF held in Rome on June 27th, 2018.
This tool was written in less than ten days, but it works! Every contribution is welcome!
Presentation of Flower (from min 7:30), and general introduction to CTFs at ESC2K18 in Italian:
- Only one command needed to have it up, thanks to docker.
- Flow list
- Vim like navigation (
jto navigate the list)
- Regex filtering with highlight
- Highlight in red flow with flags
- Favorite management
- Time filter
- Service filter
- Colored hex dump
- Automatic export GET/POST requests directly in python-format
- Automatic export to pwntools
Run with docker
Clone the repo, enter in the directory, and just run
docker-compose up, and after a while, you will find flower at http://localhost:3000.
For the flag regex, modify
The build will automatically import the test pcaps.
To enter in the service to import other pcaps, run
docker exec -it flower_flower-python_1 /bin/bash (if the flower is in a folder with a different name, modify the prefix after
-it). The container shares the
/shared folder with the host. Put the pcap files inside this folder and use
python services/importer.py /shared/pcap_file_here from the container to import pcaps to flower.
- Clone and install dependencies
git clone https://github.com/secgroup/flower
pip install -r services/requirements.txt
(Optional) Set the following environment variables:
REACT_APP_FLOWER_MONGOIP of the host that will have flower db active (MongoDB)
REACT_APP_FLOWER_SERVICESIP of the host that will have services active
REACT_APP_FLAG_REGEXregex that matches flags.
Mongodb is required on the same machine that run the services. To start it:
sudo mongod --dbpath /path/to/mongodb/db --bind_ip 0.0.0.0
- Start flower
- Start flower services
Once everything has been started, the flower should be accessible at the address of the machine that started it on port 3000.
You must first install pynids from here. The pip version is outdated! Good luck with the installation. Then, you can import pcaps into MongoDB by executing the provided script
importer.py as follows:
You can find a test_pcap in
services/test_pcap. For a quick demo, run
Security tips (Important!)
If you are going to use the flower in a CTF, remember to set up the firewall in the most appropriate way, as the current implementation does not use other security techniques.
If you ignore this, everybody will be able to connect to your database and steal all your flags!
Github repo: https://news.topnotch.works/host-https-github.com/secgroup/flower