There are many tools available to security analysts that are used to export files from network packet captures commonly called pcap files. In many companies today security analysts only have these pcap files as the only evidence available that contain the files that transmit their networks. Exporting the complete file and maintaining file integrity is paramount in any cyber investigation. I have known for a long time some tools are better then others for this purpose but not until recently during an investigation where I exported a file using two separate tools on the same pcap file resulted in two different MD5 hashs for the same file. Hence the reason for the analysis in today’s post.
We chose four popular tools for this test that are known industry wide and commonly found in many Security Analysts toolkits. Three of the tools are open source Wireshark, BRO and Chaosreader and we are also testing a professional version of NetworkMiner. For consistency sake we are using a packet capture from our friends at malware-traffic-analysis.net which contains a nasty flash exploit file.
We downloaded the 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-first-run.pcap from malware-traffic-analysis April 2016 archive.
Wirehark is the world’s foremost network protocol analyzer and used to examine packet capture files and capture network traffic.
After importing the pcap we downloaded we can see in tcp-stream 3 a Flash file was requested via a HTTP request Method GET and intimately downloaded via HTTP 200 response code with a file signature starting with CWS.
There are a couple methods to export a file in Wireshark but I will use the menu bar in this test.
In the Menu Select File > Export Objects > HTTP. This packet capture contains two Flash file we are going to test the 66 kB Flash file.
Select the file content type application/x-shockwave-flash.and chose Save As to save to disk.
Verify the md5 hash
Wireshark MD5 – 246690cd9b09f84456ddab98261510bd
Bro Network Security Monitor (Bro) is a powerful network analysis framework that is commonly used for intrusion detection and analyzing packet capture files. Bro’s powerful analysis engine makes it adept at high-performance network monitoring, protocol analysis, and real-time application layer state information. In our analysis we will leverage the extract-all.bro script available on bro.org site see the url above.
Run the following command to export all files contained in the packet capture. Files will export into a directory export_files.
The script will drop all the files in a folder called extract_files; our file was renamed HTTP-FMBqgK2b8aa54wu7mc.
Verify the md5 hash
Bro MD5 – 246690cd9b09f84456ddab98261510bd
Chaosreader is open source tool designed to aid in tracing TCP/UDP network sessions and file extraction and produces detailed HTML output which displays connection information in packet captures.
The file is renamed to session_0004.part_01.data however a view of the file properties confirms its our file.
Chaosreader MD5 – fc193d580ba0e80e20707baeb7f71f20
One of the great features of NetworkMiner is host identification and file extraction. To get started we imported our pcap to the professional version of NetworkMiner.
Select File Import and select the Files Tab presents all files contained in the packet capture.
Right Select the Flashfile listed as x-shockwave-flash and Choose Open folder
Copy the file to disk
Verify the md5 hash Upload the file to Virustotal to confirm the md5 hash and community analysis
Note the MD5 hash is a match for two previous tests and the community AV results confirm its a known Flash exploit.
NetworkMiner MD5 246690cd9b09f84456ddab98261510bd
Of the four tools we analyzed we saw three tools export the complete file intact according to the MD5 hash. The tool that didn’t export the complete file in this test was Chaosreader. The lesson here is there are numerous tools security analysts use to resurrect files from pcaps but some tools preform better or more consistent then others so buyer beware. Our analysis was admittedly simplistic we didn’t test large files or files transmitted over various protocols such as SSH, SMB or FTP which we believe also will produce differing results between tools, we will save that for future article.