# This is a PowerShell script for aquiring a PCAP file from a remote PC running the PacketCache service # # PacketCache and the latest version of this script is available here: # https://www.netresec.com/?page=PacketCache # # == LICENSE == # This script and PacketCache are released under a Creative Commons Attribution-NoDerivatives 4.0 International License, # which means that you can copy and redistribute PacketCache in any medium or format for any purpose, even commercially. # if ($args.Length -lt 2) { Write-Host "Usage: ReadRemotePacketCache.ps1 HOSTNAME USERNAME"; } else { $remoteHost = $args[0]; $session = New-PSSession -ComputerName $remoteHost -Credential $args[1]; if($session.State -eq [System.Management.Automation.Runspaces.RunspaceState]::Opened) { Write-Host "[*] Dumping PacketCache at" $remoteHost; $remotePath = Invoke-Command -Session $session -ScriptBlock { $pipeStream = new-object System.IO.Pipes.NamedPipeClientStream ".","PacketCache","In"; $file = [System.IO.File]::OpenWrite([System.IO.Path]::GetTempFileName()); try { $pipeStream.Connect(1000); $buffer = new-object byte[] 4096; $n = $pipeStream.Read($buffer, 0, $buffer.Length); while ($n -gt 0) { $file.Write($buffer, 0, $n); $n = $pipeStream.Read($buffer, 0, $buffer.Length); } } finally { $file.Close(); $pipeStream.Dispose(); } return $file.Name; }; Write-Host "[*] Copying PCAP dump from" $remoteHost; $filename = $remoteHost + '_' + [System.DateTime]::Now.ToString("yyMMdd_HHmm") + ".pcap"; Copy-Item -FromSession $session -Path $remotePath -Destination $filename; Invoke-Command -Session $session -ScriptBlock { Remove-Item $using:remotePath }; Remove-PSSession $session; Write-Host "[*] Remote PacketCache dump saved to" $filename } else { Write-Host "Error connecting to" $remoteHost; Remove-PSSession $session; } }