# TCP dump analysis ### 1. Introduction In this exercise you'll learn how to extract content of a tcp dump with different tools. A tcp dump sample of a ftp session is provided. You have to identify the malware that was downloaded to find a matching yara rule later {% file src="" %} malware tcp dump sample {% endfile %} ### 2. tcp flow The `pcap` file contains an `ftp` session where a file has been downloaded. We will now go through different approaches how to extract the file(s) from the `pcap`. Please follow instructions below ``` cd /home/hacker/Downloads mkdir -p ./ftp/tcpflow cp malware.pcap ./ftp/tcpflow cd /home/hacker/Downloads/ftp/tcpflow apt-get install tcpflow tcpflow -r malware.pcap -o ./output ``` This will extract files from the `pcap` dump to the `./output` folder To get the MD5 filehashases from the output directory I use the following command:\ `find -type f -exec md5sum '{}' +` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FMQcLGPhgJi7HkfyEmE7h%2Ftcpflow01.png?alt=media\&token=aaadf663-5a0f-4d2f-bf2d-e231bc6fefbf) We can now check this MD5 Filehashes against the virustotal database: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FrhiNnrqtuULPHU3DpUzj%2Fvirus_total01.png?alt=media\&token=baedf18b-311c-40db-a0ed-e68c1a002fc6) We could successful identify the md5 hash of the malware: `6fdb9a5243232703b13cadc5cccfa253` Let's go ahead and see what other tools we have, there's much more to explore!\ In the community tab of virus total we get a hint that it is the **wannacry malware** ### 3. Network miner We can install network miner with the following command: ``` apt-get install hl-networkminer ``` For some reason I didn't get networkminer to start, so I had to install it manually: ``` sudo apt install mono-devel wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip sudo unzip /tmp/nm.zip -d /opt/ cd /opt/NetworkMiner* sudo chmod +x NetworkMiner.exe sudo chmod -R go+w AssembledFiles/ sudo chmod -R go+w Captures/ ``` To run network miner use the following command:\ \ `mono NetworkMiner.exe --noupdatecheck` That worked and now we can load the pcap file: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FW1KNW6aXmhxuUvs7Z5PN%2Fnwminer01.png?alt=media\&token=d4a83e55-99e9-4f72-ae4d-d705e2646888) ### 4. chaosreader Another method of extracting the file from the `pcap` is `chaosreader`. Please follow the instructions below. ``` cd /home/hacker/Downloads/ftp mkdir chaosreader cp malware.pcap chaosreader cd chaosreader apt-get install chaosreader /usr/bin/chaosreader -h /usr/bin/chaosreader -v malware.pcap ```

Let's compare the MD5 hashes of the extracted files: `md5sum *`

The malisciousfile with the previously identified md5 hash is not available ### 5. binwalk Let's try another nice utility ``` cd /home/hacker/Downloads mkdir -p ./tcpdump/binwalk cp malware.pcap ./tcpdump/binwalk cd /home/hacker/Downloads/tcpdump/binwalk binwalk -e malware.pcap ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FcXBkmn9dAwWTkgq7FLh8%2Fbinwalk01.png?alt=media\&token=55f0a024-0d6d-4ee4-a1e3-905a9bd504d1) let's visualize the generated files using `tree`

The malisciousfile with the previously identified md5 hash is not available ### 6. Foremost [Foremost](https://cas-cyber.gitbook.io/cas-cybersecurity/forensic-exercises/disk-forensics/filecarving-with-foremost) is a tool that I've allready used in the forensic Exercises. It has also an option to extract files from a pcap file. Let's try that out. ``` cd /home/hacker/Downloads/tcpdump mkdir foremost cd foremost cp ../tcpdump.pcap . foremost -i ./tcpdump.pcap -o ./output tree . ```

Let's check the MD5 hashes `md5sum *`

Foremost was able to extract two exe binaries, but none of them contained the malware hashvalue we have identified previousely. ### 7. Wireshark Of course we can also use [wireshark](https://cas-cyber.gitbook.io/cas-cybersecurity/man-in-the-middle/arp-cache-poisoning) to extract the maliscious binary! Let's start wireshark and open the pcap file. After it is opend we need to set the filter to **ftp-data** ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FXfudUoJPmdXCBBMMsnkt%2Fwireshark01.png?alt=media\&token=11275d93-a061-4842-b698-8c1dc34410bd) Select protocol --> Follow TCP Stream (RETR Windows-Update.exe)

### 8. Security Questions Once the data has been extracted from a `pcap` or any other format, you can then use `yara`. Please respond to the following questions * is the malware `packed`? * what kind of malware is it? * try out different `yara` rules ### Answers I've used the following command to check the extracted binary with yara `yara -r /opt/applic/yara-rules/index.yar /home/hacker/Downloads/tcpdump | grep binary.raw` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F9KUikFcEcQsilXzd6Wuh%2Fyar_rules05.png?alt=media\&token=0858fcd3-94c5-4e9d-9450-758c65a520cc) As we can see the binary is packed and it is as previousely mentioned the WannaCry Ransomware!