Caronte is a tool to analyze the network flow during capture the flag events of type attack/defence. It reassembles TCP packets captured in pcap files to rebuild TCP connections, and analyzes each connection to find user-defined patterns. The patterns can be defined as regex or using protocol specific rules. The connection flows are saved into a database and can be visualized with the web application. REST API are also provided.
curl, either locally or remotely, or via the GUI
There are two ways to install Caronte:
The only things to do are:
git clone https://github.com/eciavatta/caronte.git
docker-compose up -d
The first thing to do is to install the dependencies:
Next you need to compile the project, which is composed of two parts:
go mod download && go build
cd frontend && yarn install && yarn build
Before running Caronte starts an instance of MongoDB https://docs.mongodb.com/manual/administration/install-community/ that has no authentication. Be careful not to expose the MongoDB port on the public interface.
Run the binary with
./caronte. The available configuration options are:
-bind-address address where server is bind (default "0.0.0.0") -bind-port port where server is bind (default 3333) -db-name name of database to use (default "caronte") -mongo-host address of MongoDB (default "localhost") -mongo-port port of MongoDB (default 27017)
The configuration takes place at runtime on the first start via the graphical interface or via API. It is necessary to setup:
server_address: the ip address of the vulnerable machine. Must be the destination address of all the connections in the pcaps. If each vulnerable service has an own ip, this param accept also a CIDR address. The address can be either IPv4 both IPv6
flag_regex: the regular expression that matches a flag. Usually provided on the competition rules page
auth_required: if true a basic authentication is enabled to protect the analyzer
accountsarray, which contains the credentials of authorized users
The backend, written in Go language, it is designed as a service. It exposes REST API that are used by the frontend written using React. The list of available APIs with their explanation is available here: https://app.swaggerhub.com/apis-docs/eciavatta/caronte/WIP
Below there are some screenshots showing the main features of the tool.