THC-Snooze is a network traffic analysis framework.
The possible applications of THC-Snooze are vast and range from simple and advanced sniffing to passive network auditing. The framework allows for the creation of custom modules that can track a connection until a successful login takes place, or check if a client application establishes an insecure SSLv2 connection with an SSL enabled server.
Getting started with THC-Snooze involves writing a module for the protocol being monitored. To illustrate the process, we start by obtaining some sample data to analyze. We create a copy of the `dump_tcp.lua` file and modify the first line to suit our needs- changing `-- :xxx_no_proto:1:tcp:` to `-- :xxx_no_proto:21:tcp:`. Next, we start snoozed by entering `# snoozed -i en0 -M modules/ -b -c t0 -D 10 THCsnoozed-0.0.6 by THC DEBUG: loading modules ...`.
After snooze has sniffed and stored one or two connections, we exit the program and use `hxdmp` to view the logs. The log file can be viewed using any preferred text editor. The red data represents information sent from the server to the client, while green data represents information sent from the client to the server.
We can use the information gathered from the log file to write a custom module. For instance, in the case of guest1 logging in with password AAAA, our module can extract this information from the log file.
In conclusion, THC-Snooze is a flexible and robust framework that has extensive applications in network traffic analysis. Its ability to use custom modules and protocol dissectors tailored to the user's specific needs makes it an excellent choice for network administrators.
Version 0.0.7: N/A