LinuxCommandLibrary

cariddi

Discover virtual hosts and subdomains

TLDR

Hunt for secrets using custom regexes and output results in JSON

$ cat [path/to/urls.txt] | cariddi -s -sf [path/to/custom_secrets.txt] -json
copy

Hunt for juicy endpoints with high concurrency and timeout with plain output results
$ cat [path/to/urls.txt] | cariddi -e -c [250] -t [15] -plain
copy

Crawl with debug mode and store HTTP responses and output results in txt file
$ cat [path/to/urls.txt] | cariddi -debug -sr -ot [path/to/debug_output.txt]
copy

Perform an intensive crawl with a proxy and random user agent and output results in html file
$ cat [path/to/urls.txt] | cariddi -intensive -proxy [http://127.0.0.1:8080] -rua -oh [path/to/intensive_crawl.html]
copy

Hunt for errors and useful information with a custom delay and use .cariddi_cache folder as cache
$ cat [path/to/urls.txt] | cariddi -err -info -d [3] -cache
copy

Show example uses
$ cariddi -examples
copy

SYNOPSIS

cariddi [options] pcap_file

PARAMETERS

-a
    Select the steganography analysis algorithm. Available options include: 'statistical', 'entropy', 'chi2', and 'all' (default).

-b
    Number of bytes to consider for analysis. Defaults to 1024.

-f
    BPF (Berkeley Packet Filter) string to filter packets.

-h
    Display the help message and exit.

-i
    Network interface to capture packets from in real time.

-l
    List available algorithms.

-n
    Number of packets to analyze. Defaults to all.

-o
    Output file to write results to. Defaults to stdout.

-q
    Quiet mode. Suppress output.

-t
    Threshold value for the selected algorithm.

-v
    Verbose mode. Increase output verbosity.

DESCRIPTION

Cariddi is a command-line tool designed to detect hidden data within TCP streams. It analyzes network traffic, specifically TCP streams captured in pcap files, to identify patterns and anomalies indicative of steganography or covert communication.

It operates by employing various statistical and entropy-based analyses to flag potentially suspicious regions in the TCP stream data. This allows security professionals and network analysts to uncover hidden payloads, identify exfiltration attempts, and generally improve network security posture. Cariddi aims to be a versatile tool for network forensics and intrusion detection, providing insights into network traffic that are not immediately apparent with standard network monitoring tools.

It can be used to find suspicious data hidden in network captures to locate the source of data leaks.

CAVEATS

Cariddi is a heuristic tool, and its findings should be interpreted with caution. High entropy or statistical anomalies do not necessarily indicate steganography, and further investigation is typically required to confirm any suspicious activity. Algorithm effectiveness depends heavily on the type of steganography used.

ALGORITHM DETAILS

The statistical algorithm analyzes byte frequency distributions. The entropy algorithm calculates the entropy of byte sequences. The chi2 algorithm analyzes chi-squared values, checking for patterns which may indicate data encoding.

SEE ALSO

tcpdump(1), tshark(1), wireshark(1)

Copied to clipboard