Скачать или смотреть Project 30 - Extracting and Analyzing Malicious Traffic with T Shark

Commands Used (in the order they appear in the video)

1. cd Desktop/Files/pcap_files (to switch to directory with pcap files)

2. ls (to see pcap files)

3. tshark -r http.cap -Y http (to filter the traffic capture for HTTP traffic)

4. tshark -r http.cap -Y http.content_type (to see only the packets that are actually carrying files. As shown, packet 27 contains an HTML webpage)

5. tshark -r http.cap -V -Y frame.number==27 (shows is a subset of the data printed using the -V flag in TShark. In the output, we can see part of the HTML web page included in this packet.)

6. ^ limitations are: Only part of the HTML code is visible and We can only see usable data since HTML is a text-based protocol.

7. tshark -r http.cap -x -Y frame.number==27 (shows a partial hex dump for packet 27 in this traffic capture. By printing the entire HTTP download session, filtering out packet headers, and converting hex characters to raw bits, a full file can be extracted)

8. tshark -r http.cap --export-objects . (to list supported export protocols)

9. tshark -r http.cap -q --export-objects http,./dumped (To dump HTTP objects from traffic capture into a directory called dumped)

10. ^ -q flag suppresses TShark's usual output which would print the summary information from all packets

11. tshark -r multistage.pcap -Y http.content_type (to identify potentially interesting files, filter the content based on HTTP content type)

12. The packet we're observing in the multistage.pcap file includes traffic captures from a multi-stage malware infection. Packet 323 contains a Microsoft Word file which could include macros or other functionality that acts as a downloader for future stages. Let's extract the file

13. tshark -r multistage.pcap -V -Y frame.number==323 (to first view the details of packet 323)

14. ^ If we look at Content-Disposition we can see that file that we are looking for's name is USPS_invoice_reggie.cage.doc and further down in Request URI, it comes from the margo.co.jp domain. Also, if we look a little further up at Content-length, we can see that the file is apparently 204,288 bytes long. This is indicative of it actually being broken up into several packets.

15. tshark -r multistage.pcap -V -Y frame.number==323 | grep Stream (to directly search for the Stream index number, it appears to be 0)

16.tshark -q -r multistage.pcap -z follow,tcp,ascii,0 | head -100 (to view the contents of TCP stream 0

17. tshark -r multistage.pcap -w - -Y frame.number==323 | tshark -r - (to set the first command to write to standard output and the second command to read from standard input).

18. tshark -r multistage.pcap -w - -Y tcp.stream==0 | tshark -r - -q --export-objects http,docs (to filter out TCP session zero and saves a file to the docs folder)

19. ^ Tshark pulls the original file name and not what it was renamed to (scroll back up to show Request URI in packet 323)

20. more docs/get.php%3fid=cmVnZ2llLmNhZ2VAeWFob28uY29t (to display contents of the extracted file)

21. cd docs and ls (to see that the file is located in our local directory)

22. file docs/get.php%3fid=cmVnZ2llLmNhZ2VAeWFob28uY29t (to check the file type, we can see who created it and that its a Word document)