Extracting Network IOC’s

Most of the times while digging through pcaps, i found the need to get URL’s, domains and IP address which can be used to identify a specific malware. We can generally use wireshark, but it will be a little time consuming and the filters may not cater all the requirement’s. I ended up using dsniff utilities to speed my task. I’ve used tcpdump and urlsnarf to get my objectives. These areavailable by default in kali and the following procedure helps narrow down specifics within a suspicious PCAP file.

For this exercise, i have downloaded a pcap from Malware Analysis website. This is one the best portals out there which provides a great degree of learning in reversing malwares.

To extract the URLS, you can use urlsnarf as indicated below.

#urlsnarf -p 2017-01-04-Cerber-from-malspam-traffic.pcap | cut -d " " -f 7

urlsnarf: using 2017-01-04-Cerber-from-malspam-traffic.pcap [tcp port 80 or port 8080 or port 3128]

As you can see there are two URLS within the PCAP that was used to download the malicious code.

To extract the Domains,  i use the same command with a different delimiter as below.

# urlsnarf -p 2017-01-04-Cerber-from-malspam-traffic.pcap | cut -d "/" -f 5

urlsnarf: using 2017-01-04-Cerber-from-malspam-traffic.pcap [tcp port 80 or port 8080 or port 3128]

To obtain IP addresses, we use TCPDUMP to read the pcaps and extract only the public IP’s that used to callback.

root@HomeKali:~/project02/cerb# tcpdump 'not src net 10 and not src net 192.168/16 and not src net 172.16/12' -nr 2017-01-04-Cerber-from-malspam-traffic.pcap | cut -d " " -f 3 | sort -u

reading from file 2017-01-04-Cerber-from-malspam-traffic.pcap, link-type EN10MB (Ethernet)

All of the are just single commands, and it appears we could automate them next.

Published by Ramnath Shenoy

I work a penetration tester and this blog is just some of my personal notes!

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: