📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. tcp flow
  • 3. Network miner
  • 4. chaosreader
  • 5. binwalk
  • 6. Foremost
  • 7. Wireshark
  • 8. Security Questions
  • Answers

Was this helpful?

  1. Malware Analysis
  2. YARA

TCP dump analysis

PreviousYARA with CyberchefNextMemory dump analysis

Last updated 3 years ago

Was this helpful?

1. Introduction

In this exercise you'll learn how to extract content of a tcp dump with different tools. A tcp dump sample of a ftp session is provided. You have to identify the malware that was downloaded to find a matching yara rule later

2. tcp flow

The pcap file contains an ftp session where a file has been downloaded. We will now go through different approaches how to extract the file(s) from the pcap.

Please follow instructions below

cd /home/hacker/Downloads
mkdir -p ./ftp/tcpflow
cp malware.pcap ./ftp/tcpflow
cd /home/hacker/Downloads/ftp/tcpflow
apt-get install tcpflow
tcpflow -r malware.pcap -o ./output

This will extract files from the pcap dump to the ./output folder

To get the MD5 filehashases from the output directory I use the following command: find -type f -exec md5sum '{}' +

We can now check this MD5 Filehashes against the virustotal database:

We could successful identify the md5 hash of the malware: 6fdb9a5243232703b13cadc5cccfa253

Let's go ahead and see what other tools we have, there's much more to explore! In the community tab of virus total we get a hint that it is the wannacry malware

3. Network miner

We can install network miner with the following command:

apt-get install hl-networkminer

For some reason I didn't get networkminer to start, so I had to install it manually:

sudo apt install mono-devel 

wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip
sudo unzip /tmp/nm.zip -d /opt/
cd /opt/NetworkMiner*
sudo chmod +x NetworkMiner.exe
sudo chmod -R go+w AssembledFiles/
sudo chmod -R go+w Captures/ 

To run network miner use the following command: mono NetworkMiner.exe --noupdatecheck

That worked and now we can load the pcap file:

4. chaosreader

Another method of extracting the file from the pcap is chaosreader.

Please follow the instructions below.

cd /home/hacker/Downloads/ftp
mkdir chaosreader
cp malware.pcap chaosreader
cd chaosreader
apt-get install chaosreader
/usr/bin/chaosreader -h
/usr/bin/chaosreader -v malware.pcap

Let's compare the MD5 hashes of the extracted files: md5sum *

The malisciousfile with the previously identified md5 hash is not available

5. binwalk

Let's try another nice utility

cd /home/hacker/Downloads
mkdir -p ./tcpdump/binwalk
cp malware.pcap ./tcpdump/binwalk
cd /home/hacker/Downloads/tcpdump/binwalk
binwalk -e malware.pcap

let's visualize the generated files using tree

The malisciousfile with the previously identified md5 hash is not available

6. Foremost

cd /home/hacker/Downloads/tcpdump
mkdir foremost
cd foremost
cp ../tcpdump.pcap .
foremost -i ./tcpdump.pcap -o ./output
tree .

Let's check the MD5 hashes

md5sum *

Foremost was able to extract two exe binaries, but none of them contained the malware hashvalue we have identified previousely.

7. Wireshark

Select protocol --> Follow TCP Stream (RETR Windows-Update.exe)

8. Security Questions

Once the data has been extracted from a pcap or any other format, you can then use yara.

Please respond to the following questions

  • is the malware packed?

  • what kind of malware is it?

  • try out different yara rules

Answers

I've used the following command to check the extracted binary with yara

yara -r /opt/applic/yara-rules/index.yar /home/hacker/Downloads/tcpdump | grep binary.raw

As we can see the binary is packed and it is as previousely mentioned the WannaCry Ransomware!

is a tool that I've allready used in the forensic Exercises. It has also an option to extract files from a pcap file. Let's try that out.

Of course we can also use to extract the maliscious binary! Let's start wireshark and open the pcap file. After it is opend we need to set the filter to ftp-data

Foremost
wireshark
303KB
malware.pcap
malware tcp dump sample