Analyzing PCAPs with Claude Code
One of the most practical use cases for Claude Code in security work is rapid PCAP triage. In this post I'll walk through a live session where I asked Claude to analyze a DoublePulsar capture, extract IOCs, and summarize the activity — all from a single prompt.
The Prompt
analyse the /home/demo/7-DoublePulsar.pcap file, extract any IOCs, present a summary of the activity
How Claude Approached It
Claude Code located the file at /home/igor/demo/7-DoublePulsar.pcap and ran a series of tshark commands to build up a picture of the traffic:
- IP conversation summary — identified the two hosts and total frame counts
- Protocol hierarchy — discovered SMB, NBSS, DCE/RPC, LLMNR, and NBNS
- Frame-by-frame analysis — traced the full attack sequence from port scan to exploitation attempt
- SMB/445 filter — isolated the exploitation traffic and SMB command sequence
- MAC and hostname extraction — pulled NetBIOS names and ARP-derived MACs
- DoublePulsar fingerprint check — looked for the specific PeekNamedPipe + Trans2 sequence
The entire analysis ran in under 30 seconds of wall time.
Results
Hosts
| Host | IP | MAC | NetBIOS Name | Role |
|---|---|---|---|---|
| Attacker | 192.168.0.100 | 08:00:27:c9:6d:7c | EW-WIN7-VICTIM | Attack origin |
| Victim | 192.168.0.105 | 08:00:27:bb:5c:98 | EW-VICTIM | Windows target |
Attack Phases
Phase 1 — TCP Port Scan (frames 1–2280, ~0.20s)
Sequential SYN scan of ports 1–1024 in batches of 10. Ports 139 and 445 confirmed open.
Phase 2 — SMB Reconnaissance
Anonymous null-session authentication followed by NetServerEnum2 requests to enumerate domain controllers, servers, and workstations. Target hostname EW-VICTIM confirmed.
Phase 3 — EternalBlue Vulnerability Check
The classic MS17-010 fingerprint sequence:
- SMB anonymous session via
\\192.168.0.105\IPC$ PeekNamedPipeFID 0x0000 →STATUS_INSUFF_SERVER_RESOURCES✓ (vulnerable)Trans2 SESSION_SETUP→STATUS_NOT_IMPLEMENTED✓ (unpatched)- DCE/RPC EPMv4 bind over named pipe
Phase 4 — Second Attempt
Identical sequence repeated — consistent with exploit frameworks (Metasploit, standalone EternalBlue) that double-check before delivering payload.
IOCs
Network:
| Type | Value | Notes |
|---|---|---|
| IP | 192.168.0.100 | Attacker |
| IP | 192.168.0.105 | Victim |
| MAC | 08:00:27:c9:6d:7c | Attacker NIC (VirtualBox) |
| MAC | 08:00:27:bb:5c:98 | Victim NIC (VirtualBox) |
| Port | 445/TCP | SMB exploitation target |
| Port | 139/TCP | NetBIOS |
Behavioral:
| IOC | Description |
|---|---|
| Sequential SYN scan ports 1–1024 | Reconnaissance |
| Anonymous null-session SMB bind | Credential-free enumeration |
| PeekNamedPipe FID 0x0000 → STATUS_INSUFF_SERVER_RESOURCES | MS17-010 check |
| Trans2 SESSION_SETUP → STATUS_NOT_IMPLEMENTED | MS17-010 confirm |
| DCE/RPC EPMv4 bind over SMB pipe | Pre-exploitation enumeration |
| NetServerEnum2 with full server type mask | Domain/host enumeration |
MITRE ATT&CK Mapping
- T1046 — Network Service Scanning
- T1210 — Exploitation of Remote Services (MS17-010)
- T1135 — Network Share Discovery (NetServerEnum2)
Assessment
The capture shows the recon and vulnerability check phases of a DoublePulsar attack. The actual exploit payload is not present in this capture — this is either a pre-exploitation snapshot or the exploit failed to land. Both MACs carry the 08:00:27 VirtualBox OUI, confirming a controlled lab environment.
The entire attack chain completes in ~0.22 seconds of capture time, highlighting how fast these automated exploits move.
Takeaways
Claude Code is surprisingly effective as a PCAP triage tool. A single prompt drove a full tshark workflow — conversation extraction, protocol hierarchy, exploit fingerprinting, IOC table, and MITRE mapping — without any manual query writing. For rapid incident triage or CTF PCAP challenges, it's a solid addition to the toolkit.
The Blogger MCP used to publish this post was also set up and tested in the same session. More on that another time.
Comments
Post a Comment