One of ourreaders, Gebhard,submitted a pointer to a tool today, released byTalos, that I wasnt familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap.The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end. I took a relatively benign phishing pdf (it had a link in it) and used it for my test. The tool doesnt have any documentation until you compile it and run it. width:600px" />
I ran afew test scenarios with it. One for HTTP and one for SMTP. For the HTTP, I used the following command line and specified a file name:
./file2pcap -mh -p 45678:8443 Wire_transfer_Notification.pdf -o httpout.pcap
It shows you if its working verses just returning a command prompt:
Writing to httpout.pcap
You can see by the packets, it matches the ports I told it to use:
width:800px" />
Here is what it looks like when you follow the TCP stream:
width:600px" />
For the SMTP I ran the following command:
./file2pcap -ms Wire_transfer_Notification.pdf -o smptout.pcap
Here is the data from following the TCP stream:
width:600px" />
I played with several of the options. You can also run more than one protocol in a single command line(you cant specify a file name running multiple modes, it will generate them for you):
./file2pcap -msh Wire_transfer_Notification.pdf
Writing to Wire_transfer_Notification.pdf-smtp.pcap
Writing to Wire_transfer_Notification.pdf-http-get.pcap
This is a very handy tool to have when you need to generate packets quickly to write content for file transfer detection. Its definately one Ill add to my toolkit!
© SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Article Link: https://isc.sans.edu/diary.html?storyid=22456&rss