BruteShark is a network forensic analysis tool designed to extract credentials, authentication hashes, and sensitive information from PCAP network capture files. It provides both a GUI interface for Windows and a command-line interface for Linux/macOS. The tool is essential for incident response, digital forensics, and security assessments involving network traffic analysis.
# Download latest release
# https://github.com/odedshimon/BruteShark/releases
# Extract ZIP file
unzip BruteShark-x.x.x-win.zip -d C:\BruteShark
# No additional dependencies required (self-contained)
# Run GUI application
C:\BruteShark\BruteShark.exe
# Install dependencies
sudo apt-get update
sudo apt-get install -y git dotnet-sdk-6.0 libpcap-dev
# Clone repository
git clone https://github.com/odedshimon/BruteShark.git
cd BruteShark
# Build the project
dotnet build -c Release
# Run CLI
dotnet run -c Release --project BruteShark.Cli/BruteShark.Cli.csproj
# Install dependencies via Homebrew
brew install dotnet libpcap git
# Clone and build
git clone https://github.com/odedshimon/BruteShark.git
cd BruteShark
dotnet build -c Release
# Run CLI version
dotnet run -c Release --project BruteShark.Cli/BruteShark.Cli.csproj
# Build Docker image
docker build -t bruteshark:latest .
# Run BruteShark in container
docker run -v /path/to/pcaps:/data bruteshark:latest \
-f /data/capture.pcap -o /data/output.json
# Interactive container
docker run -it -v /path/to/pcaps:/data bruteshark:latest /bin/bash
# Analyze single PCAP file (CLI)
BruteShark.Cli -f capture.pcap
# Analyze with output file
BruteShark.Cli -f capture.pcap -o results.json
# Process multiple PCAP files
BruteShark.Cli -f *.pcap -o combined_results.json
# Process entire directory
BruteShark.Cli -f /path/to/pcaps/ -o results.json
# Open BruteShark GUI
BruteShark.exe
# File menu options:
# - Open PCAP file
# - Merge PCAP files
# - Recent files
# - Export results
# Merge PCAP files before analysis
mergecap -w merged.pcap capture1.pcap capture2.pcap capture3.pcap
# Analyze merged file
BruteShark.Cli -f merged.pcap -o results.json
# Time-sorted merge
mergecap -w merged.pcap -s capture1.pcap capture2.pcap
| Protocol | Method | Data Extracted |
|---|
| HTTP Basic Auth | Base64 decoded | Username, password |
| HTTP Form POST | Form data parsing | Username, password, tokens |
| HTTP Cookies | Cookie extraction | Session tokens, auth cookies |
| HTTP Headers | Header parsing | Authorization tokens, API keys |
# Extract HTTP form data and authentication
BruteShark.Cli -f capture.pcap --extract-http-credentials
# Show all HTTP requests with credentials
BruteShark.Cli -f capture.pcap --http-basic-auth
# Extract cookies and sessions
BruteShark.Cli -f capture.pcap --extract-cookies
# GUI: Select "Credentials" tab to view HTTP credentials
# Extract FTP login credentials
BruteShark.Cli -f capture.pcap --extract-ftp
# FTP username extraction
BruteShark.Cli -f capture.pcap | grep -i "USER"
# FTP password extraction
BruteShark.Cli -f capture.pcap | grep -i "PASS"
# Combined FTP credential recovery
BruteShark.Cli -f capture.pcap --ftp-extract -o ftp_creds.txt
# Extract SMTP authentication
BruteShark.Cli -f capture.pcap --extract-smtp
# SMTP plaintext credentials
BruteShark.Cli -f capture.pcap --smtp-auth
# Email sender/recipient extraction
BruteShark.Cli -f capture.pcap --smtp-extract -o emails.txt
# Extract email protocol credentials
BruteShark.Cli -f capture.pcap --extract-email-creds
# IMAP login extraction
BruteShark.Cli -f capture.pcap --imap-extract
# POP3 authentication extraction
BruteShark.Cli -f capture.pcap --pop3-extract
# Generic credential extraction
BruteShark.Cli -f capture.pcap --extract-all-credentials
# Supported protocols:
# - Telnet
# - SSH
# - RDP
# - VNC
# - SMB
# - LDAP
# - Kerberos
# Extract Kerberos hashes
BruteShark.Cli -f capture.pcap --extract-kerberos
# Extract TGT (Ticket Granting Ticket) hashes
BruteShark.Cli -f capture.pcap --extract-krbtgt
# Extract service ticket hashes
BruteShark.Cli -f capture.pcap --extract-service-tickets
# Format for offline cracking
BruteShark.Cli -f capture.pcap --kerberos-format hashcat -o kerberos.hashes
# Extract NTLM authentication hashes
BruteShark.Cli -f capture.pcap --extract-ntlm
# NTLM v1 hash extraction
BruteShark.Cli -f capture.pcap --ntlm-v1
# NTLM v2 hash extraction
BruteShark.Cli -f capture.pcap --ntlm-v2
# Output for John the Ripper
BruteShark.Cli -f capture.pcap --ntlm-extract -o ntlm.txt
# Extract any MD5 hashes found
BruteShark.Cli -f capture.pcap --extract-md5
# Extract SHA hashes
BruteShark.Cli -f capture.pcap --extract-sha
# Extract all hash types
BruteShark.Cli -f capture.pcap --extract-all-hashes
# Format hashes for hashcat
BruteShark.Cli -f capture.pcap --extract-hashes --format hashcat -o hashes.hashcat
# Format for John the Ripper
BruteShark.Cli -f capture.pcap --extract-hashes --format john -o hashes.john
# Format for online lookup
BruteShark.Cli -f capture.pcap --extract-hashes --format plain -o hashes.txt
# Generate network diagram
BruteShark.Cli -f capture.pcap --generate-diagram
# Output diagram as image
BruteShark.Cli -f capture.pcap --diagram-output network.png
# Generate diagram in GraphML format (for Gephi)
BruteShark.Cli -f capture.pcap --diagram-format graphml -o network.graphml
# Generate diagram in DOT format (Graphviz)
BruteShark.Cli -f capture.pcap --diagram-format dot -o network.dot
| Element | Representation |
|---|
| Nodes | IP addresses / Hostnames |
| Edges | Network connections |
| Edge Weight | Number of packets |
| Node Size | Traffic volume |
| Colors | Traffic type / Protocol |
# Convert DOT to PNG using Graphviz
dot -Tpng network.dot -o network.png
# Convert to SVG
dot -Tsvg network.dot -o network.svg
# Convert to PDF
dot -Tpdf network.dot -o network.pdf
# View in Gephi (import GraphML)
# File → Open → network.graphml
# Extract all files found in traffic
BruteShark.Cli -f capture.pcap --extract-files
# Extract to specific directory
BruteShark.Cli -f capture.pcap --extract-files -o /path/to/extract/
# Extract specific file types
BruteShark.Cli -f capture.pcap --extract-file-types exe,pdf,docx
# List files before extracting
BruteShark.Cli -f capture.pcap --list-files
# Extract HTTP-transferred files
BruteShark.Cli -f capture.pcap --extract-http-files
# Extract images only
BruteShark.Cli -f capture.pcap --extract-images
# Extract documents
BruteShark.Cli -f capture.pcap --extract-documents
# Extract by MIME type
BruteShark.Cli -f capture.pcap --extract-mime-type application/pdf
# Calculate checksums of extracted files
sha256sum extracted_files/*
# Scan with VirusTotal
for file in extracted_files/*; do
echo "Scanning: $file"
# Integration with VirusTotal API (requires API key)
done
# File type validation
file extracted_files/*
# Extract complete TCP sessions
BruteShark.Cli -f capture.pcap --reconstruct-sessions
# Reconstruct specific protocol
BruteShark.Cli -f capture.pcap --reconstruct-http
# Save reconstructed streams
BruteShark.Cli -f capture.pcap --reconstruct-sessions -o sessions/
# View session content
cat sessions/session_1.txt
# Extract complete HTTP requests/responses
BruteShark.Cli -f capture.pcap --reconstruct-http -o http_sessions/
# Separate requests and responses
BruteShark.Cli -f capture.pcap --http-separate-req-resp
# Include HTTP headers and body
BruteShark.Cli -f capture.pcap --http-full-content
# Reconstruct FTP sessions with file transfers
BruteShark.Cli -f capture.pcap --reconstruct-ftp -o ftp_sessions/
# Show FTP commands and responses
BruteShark.Cli -f capture.pcap --ftp-transcript
# Extract transferred files from FTP
BruteShark.Cli -f capture.pcap --ftp-extract-files
# Extract TLS handshake information
BruteShark.Cli -f capture.pcap --extract-tls-info
# Extract SSL certificates
BruteShark.Cli -f capture.pcap --extract-certificates -o certs/
# Analyze certificate chain
openssl x509 -in certs/certificate.pem -text -noout
# Extract all DNS queries
BruteShark.Cli -f capture.pcap --extract-dns
# Export DNS data as JSON
BruteShark.Cli -f capture.pcap --extract-dns --format json -o dns.json
# Export as CSV for analysis
BruteShark.Cli -f capture.pcap --extract-dns --format csv -o dns.csv
# Filter by query type
BruteShark.Cli -f capture.pcap --dns-query-type A,AAAA,MX
| Query Type | Description |
|---|
| A | IPv4 address resolution |
| AAAA | IPv6 address resolution |
| MX | Mail exchange records |
| NS | Nameserver records |
| CNAME | Canonical name records |
| TXT | Text records (SPF, DKIM) |
| SOA | Start of authority |
| PTR | Reverse DNS lookup |
# Extract DNS tunneling attempts
BruteShark.Cli -f capture.pcap --detect-dns-tunneling
# Identify suspicious domain lookups
BruteShark.Cli -f capture.pcap --dns-security-analysis
# Extract DNS server addresses
BruteShark.Cli -f capture.pcap --dns-servers -o dns_servers.txt
# Timeline of DNS activity
BruteShark.Cli -f capture.pcap --dns-timeline -o dns_timeline.csv
# JSON output (most comprehensive)
BruteShark.Cli -f capture.pcap -o results.json
# CSV output
BruteShark.Cli -f capture.pcap --format csv -o results.csv
# XML output
BruteShark.Cli -f capture.pcap --format xml -o results.xml
# HTML report
BruteShark.Cli -f capture.pcap --format html -o report.html
# Filter by source IP
BruteShark.Cli -f capture.pcap --filter "src_ip=192.168.1.100"
# Filter by destination IP
BruteShark.Cli -f capture.pcap --filter "dst_ip=10.0.0.1"
# Filter by protocol
BruteShark.Cli -f capture.pcap --filter "protocol=http"
# Combine multiple filters
BruteShark.Cli -f capture.pcap --filter "src_ip=192.168.1.* AND protocol=ftp"
# Complex filter expression
BruteShark.Cli -f capture.pcap --filter "(protocol=http OR protocol=https) AND dst_port=80"
# Multi-threaded processing
BruteShark.Cli -f capture.pcap --threads 8
# Process large files
BruteShark.Cli -f capture.pcap --chunk-size 100000
# Memory-efficient mode
BruteShark.Cli -f capture.pcap --low-memory
# Progress reporting
BruteShark.Cli -f capture.pcap --progress
| Component | Function |
|---|
| Credentials Tab | View extracted usernames/passwords |
| Hashes Tab | View extracted authentication hashes |
| Files Tab | Browse extracted files |
| DNS Tab | View DNS queries |
| Network Diagram | Visual topology of network |
| Sessions Tab | View reconstructed sessions |
| Search | Search across all data |
# Export credentials table
# Right-click credentials table → Export → CSV
# Copy selected credentials
# Select row → Ctrl+C → Paste to text file
# Export entire session
# File → Export Results → JSON
# Print network diagram
# View Diagram → Print
# Extract hashes for Hashcat
BruteShark.Cli -f capture.pcap --extract-hashes --format hashcat | \
hashcat -m 1000 -a 0 -O dictionary.txt
# Extract for John the Ripper
BruteShark.Cli -f capture.pcap --extract-hashes --format john | \
john --wordlist=dictionary.txt
# Extract for Hydra
BruteShark.Cli -f capture.pcap --extract-credentials -o creds.txt
# Export to JSON for ELK Stack
BruteShark.Cli -f capture.pcap -o elasticsearchdata.json
# Export for Splunk
BruteShark.Cli -f capture.pcap --format splunk -o splunk_data.txt
# Syslog format export
BruteShark.Cli -f capture.pcap --format syslog | nc siem-server.com 514
# Open PCAP in Wireshark for detailed analysis
wireshark capture.pcap
# Use Wireshark filters after BruteShark extraction
# Display filter: ip.src == 192.168.1.100
# Export Wireshark packet list
# File → Export Packet Dissections → As JSON
# Create batch script for Windows
@echo off
for %%F in (*.pcap) do (
BruteShark.exe -f "%%F" -o "%%~nF_results.json"
)
# Create batch script for Linux
#!/bin/bash
for pcap in *.pcap; do
dotnet run -c Release -f "$pcap" -o "${pcap%.pcap}_results.json"
done
# Use GNU Parallel for Linux
parallel BruteShark.Cli -f {} -o {.}_results.json ::: *.pcap
# PowerShell parallel processing for Windows
Get-ChildItem *.pcap | ForEach-Object -Parallel {
BruteShark.exe -f $_.FullName -o "$($_.BaseName)_results.json"
}
| Issue | Solution |
|---|
| PCAP file not readable | Verify PCAP format with file command; try repair with tcpdump |
| No credentials extracted | Verify traffic contains supported protocols; check encryption |
| Memory exhaustion | Use --low-memory mode; split PCAP file |
| Performance issues | Increase thread count; reduce output verbosity |
| GUI won’t start | Verify .NET Framework installed; check Windows permissions |
# Verify PCAP file integrity
pcapfix -o repaired.pcap corrupted.pcap
# Extract PCAP statistics
capinfos capture.pcap
# Show packet count by protocol
tshark -r capture.pcap -q -z io,phs
# List all unique IPs in capture
tshark -r capture.pcap -T fields -e ip.src -e ip.dst | sort -u
# Analyze in isolated environment
# Use virtual machine for untrusted PCAPs
# Validate extracted files before execution
sha256sum extracted_files/*
# Scan extracted files for malware
clamav extracted_files/
# Review credentials securely
# Use password manager for secure storage
# Encrypt analysis results
gpg --cipher-algo AES256 -c results.json
# Secure deletion of sensitive data
shred -vfz results.txt
# Temporary analysis directory
mkdir -p /tmp/bruteshark_analysis
cd /tmp/bruteshark_analysis
