FlagSniff is a powerful command-line tool designed for red teamers and CTF players to quickly analyze .pcap files and extract flags, credentials, tokens, and other sensitive information.
- ๐ PCAP & PCAPNG File Analysis: Load and parse
.pcap or .pcapngfiles using Scapy - ๐ Multi-Protocol Support: HTTP, DNS, FTP, Telnet, TCP, UDP
- ๐ฉ Flag Detection: Automatically find CTF flags with patterns like
flag{},CTF{},HTB{} - ๐ Credential Extraction: Detect Basic Auth, form-based logins, passwords
- ๐ซ Token Recognition: JWT tokens, API keys, Bearer tokens, AWS keys
- ๐จ Colorized Output: Beautiful terminal output using Rich
- ๐ Statistics: Detailed analysis statistics
- ๐พ Export Results: Save findings to JSON format
- ๐ง Custom Regex: Use your own regex patterns for specific searches
- Flags:
flag{},CTF{},HTB{},DUCTF{},PICOCTF{} - Credentials: usernames, passwords, Basic Auth
- Tokens: JWT, API keys, Bearer tokens, Slack tokens, AWS keys
- Emails: Standard email format detection
- Hashes: MD5, SHA1, SHA256
- URLs: HTTP/HTTPS links
- Python 3.7+
- pip package manager
pip install -r requirements.txtRequired packages:
scapy- Packet parsing and analysisrich- Beautiful terminal output
1. Find all flags in a PCAP file:
python flagsniff.py -f capture.pcap --find flag2. Search for credentials:
python flagsniff.py -f capture.pcap --find credentials3. Find everything (flags, credentials, tokens):
python flagsniff.py -f capture.pcap --find all4. Use custom regex pattern:
python flagsniff.py -f capture.pcap --find all --regex "flag\\{.*?\\}"5. Export results to JSON:
python flagsniff.py -f capture.pcap --find all --export results.json6. Verbose output:
python flagsniff.py -f capture.pcap --find all --verboseusage: flagsniff.py [-h] -f FILE [--find {flag,credentials,tokens,all}]
[--regex REGEX] [--export EXPORT] [--verbose]
๐ฏ FlagSniff - CLI Tool for Packet Analysis & Flag Extraction
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path to .pcap file
--find {flag,credentials,tokens,all}
What to search for (default: all)
--regex REGEX Custom regex pattern to search
--export EXPORT Export results to file (JSON format)
--verbose, -v Verbose output
๐ Loading PCAP file: sample.pcap
โ
Loaded 1500 packets
๐ฏ FlagSniff Results
โโโโโโโโโโโโโโณโโโโโโโโโโโณโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Type โ Protocol โ Source โ Destination โ Found Data โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ FLAG โ HTTP โ 192.168.1.10 โ 192.168.1.1 โ flag{h3ll0_w0rld_fr0m_p4ck3t5} โ
โ CREDENTIAL โ HTTP โ 192.168.1.20 โ 192.168.1.1 โ username=admin&password=secret123 โ
โ TOKEN โ HTTP โ 192.168.1.30 โ 192.168.1.1 โ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... โ
โโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ Statistics โโ
โ ๐ Analysis Statistics โ
โ โ
โ Total Packets: 1500 โ
โ Analyzed Packets: 847 โ
โ ๐ฉ Flags Found: 3 โ
โ ๐ Credentials Found: 7โ
โ ๐ซ Tokens Found: 2 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโ
flagsniff/
โโโ flagsniff.py # Main CLI tool
โโโ utils/
โ โโโ __init__.py # Package initialization
โ โโโ parsers.py # Packet parsing utilities
โ โโโ patterns.py # Pattern matching & regex
โโโ test_data/
โ โโโ sample.pcap # Sample PCAP for testing
โโโ requirements.txt # Python dependencies
โโโ README.md # This file
- Scapy: Handles PCAP file loading and packet parsing
- Rich: Provides colorized terminal output and tables
- Modular Design: Separate utilities for parsing and pattern matching
- HTTP: Web traffic, form data, headers
- DNS: Query/response analysis
- FTP: File transfer protocol
- Telnet: Remote terminal sessions
- TCP/UDP: General packet analysis
The tool uses carefully crafted regex patterns to identify:
- CTF Flags: Various flag formats from different competitions
- Authentication: Basic Auth, form-based, API keys
- Tokens: JWT, Bearer, API keys, cloud service tokens
- Sensitive Data: Emails, hashes, URLs
You can create custom regex patterns for specific needs:
# Search for Bitcoin addresses
python flagsniff.py -f capture.pcap --regex "[13][a-km-zA-HJ-NP-Z1-9]{25,34}"
# Find specific flag formats
python flagsniff.py -f capture.pcap --regex "MYCTF\\{[a-zA-Z0-9_]+\\}"from flagsniff import FlagSniff
# Initialize
fs = FlagSniff()
# Load packets
packets = fs.load_pcap("capture.pcap")
# Analyze
fs.analyze_packets(packets, ['flag', 'credentials'])
# Get results
results = fs.found_items- ๐ Web Dashboard: Visual traffic flow and analysis
- ๐ Advanced Statistics: Detailed protocol breakdowns
- ๐ Real-time Analysis: Live packet capture analysis
- ๐ CSV Export: Multiple export formats
- ๐ฎ Gaming Mode: CTF scoring system
- ๐ Deep Inspection: SSL/TLS analysis, encrypted content
- ๐ฑ Mobile App: Companion mobile application
- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Commit changes:
git commit -am 'Add feature' - Push to branch:
git push origin feature-name - Submit a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
FlagSniff is designed for educational purposes, authorized penetration testing, and CTF competitions. Always ensure you have proper authorization before analyzing network traffic. The authors are not responsible for any misuse of this tool.
Created for the red teaming and CTF community. Special thanks to:
- Scapy developers for the powerful packet analysis library
- Rich library for beautiful terminal interfaces
- The CTF community for inspiration and feedback
Happy Flag Hunting! ๐ฉ