pcap-triage.sh
Lightweight PCAP triage for CTF and DFIR. Runs capinfos, tshark
stats, protocol extracts, HTTP object export, and quick IOC hunts.
Optionally uses Zeek, Suricata, and tcpflow if installed.
Usage: pcap-triage.sh <capture.pcap> [output_dir]
View source
web-recon.sh
Web challenge reconnaissance. Checks headers, redirects, cookies,
common files (robots.txt, .git/HEAD, .env, backups), homepage links,
forms, JS keyword hunting. Optional ffuf path fuzzing with wordlist.
Usage: web-recon.sh <url> [wordlist]
View source
api-recon.sh
API endpoint discovery and reconnaissance. Probes common docs and
schema paths (Swagger, OpenAPI, GraphQL), tests auth endpoints,
checks CORS and HTTP methods.
Usage: api-recon.sh <base_url>
View source
webhook-helper.sh
Automates OOB testing with webhook.site. Generates payloads for
SSRF, XSS, and command injection, injects them into a target URL
parameter, then polls the webhook for callbacks.
Usage: webhook-helper.sh -u <target_url> -i <webhook_uuid>
[-m ssrf|xss|cmdi] [-p parameter]
View source
Setup
# make all scripts executable
chmod +x pcap-triage.sh web-recon.sh api-recon.sh webhook-helper.sh
# add to PATH (optional)
export PATH="$PATH:/path/to/ctf/scripts"
# dependencies
# pcap-triage: tshark (required), zeek/suricata/tcpflow (optional)
# web-recon: curl (required), ffuf (optional)
# api-recon: curl
# webhook: curl, jq
Typical CTF workflow
# got a pcap? triage it
./pcap-triage.sh challenge.pcap output/
# web challenge? recon first
./web-recon.sh http://target:8080
./api-recon.sh http://target:8080/api
# need OOB confirmation?
# 1. create webhook at webhook.site, copy UUID
./webhook-helper.sh -u 'http://target/fetch' \
-i YOUR_UUID -m ssrf -p url