Network Packet Capture File Extraction Analysis

There are many tools available to security analysts that are used to export files from network packet captures commonly called pcap files. In many companies today security analysts only have these pcap files as the only evidence available that contain the files that transmit their networks. Exporting the complete file and maintaining file integrity is paramount in any cyber investigation. I have known for a long time some tools are better then others for this purpose but not until recently during an investigation where I exported a file using two separate tools on the same pcap file resulted in two different MD5 hashs for the same file. Hence the reason for the analysis in today’s post.

We chose four popular tools for this test that are known industry wide and commonly found in many Security Analysts toolkits. Three of the tools are open source Wireshark, BRO and Chaosreader and we are also testing a professional version of NetworkMiner. For consistency sake we are using a packet capture from our friends at malware-traffic-analysis.net which contains a nasty flash exploit file.

Packet Capture

We downloaded the 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-first-run.pcap from malware-traffic-analysis April 2016 archive.

 

Wireshark                                                               https://www.wireshark.org/

Wirehark is the world’s foremost network protocol analyzer and used to examine packet capture files and capture network traffic.

After importing the pcap we downloaded we can see in tcp-stream 3 a Flash file was requested via a HTTP request Method GET and intimately downloaded via HTTP 200 response code with a file signature starting with CWS.

There are a couple methods to export a file in Wireshark but I will use the menu bar in this test.

In the Menu Select File > Export Objects > HTTP. This packet capture contains two Flash file we are going to test the 66 kB Flash file.

Select the file content type application/x-shockwave-flash.and chose Save As to save to disk.

Verify the md5 hash

Wireshark MD5 – 246690cd9b09f84456ddab98261510bd

Bro                                                                                 https://www.bro.org/bro-exchange-2013/exercises/faf.html

Bro Network Security Monitor (Bro) is a powerful network analysis framework that is commonly used for intrusion detection and analyzing packet capture files. Bro’s powerful analysis engine makes it adept at high-performance network monitoring, protocol analysis, and real-time application layer state information. In our analysis we will leverage the extract-all.bro script available on bro.org site see the url above.

Run the following command to export all files contained in the packet capture. Files will export into a directory export_files.

The script will drop all the files in a folder called extract_files; our file was renamed HTTP-FMBqgK2b8aa54wu7mc.

Verify the md5 hash

Bro MD5 – 246690cd9b09f84456ddab98261510bd

Chaosreader                                  http://www.brendangregg.com/chaosreader.html

Chaosreader is open source tool designed to aid in tracing TCP/UDP network sessions and file extraction and produces detailed HTML output which displays connection information in packet captures.

The file is renamed to session_0004.part_01.data however a view of the file properties confirms its our file.

 

Chaosreader MD5 – fc193d580ba0e80e20707baeb7f71f20

NetworkMiner                                                                      http://www.netresec.com/?page=NetworkMiner

One of the great features of NetworkMiner is host identification and file extraction. To get started we imported our pcap to the professional version of NetworkMiner.

Select File Import and select the Files Tab presents all files contained in the packet capture.

Right Select the Flashfile listed as x-shockwave-flash and Choose Open folder

Copy the file to disk

 

Verify the md5 hash                                                                                              Upload the file to Virustotal to confirm the md5 hash and community analysis

Note the MD5 hash is a match for two previous tests and the community AV results confirm its a known Flash exploit.

 

NetworkMiner MD5 246690cd9b09f84456ddab98261510bd

Summary

Of the four tools we analyzed we saw three tools export the complete file intact according to the MD5 hash. The tool that didn’t export the complete file in this test was Chaosreader. The lesson here is there are numerous tools security analysts use to resurrect files from pcaps but some tools preform better or more consistent then others so buyer beware. Our analysis was admittedly simplistic we didn’t test large files or files transmitted over various protocols such as SSH, SMB or FTP which we believe also will produce differing results between tools, we will save that for future article.

Facebooktwittergoogle_plusreddit