The exported fake PayPal login page viewed in a web browser. Exporting a fake PayPal login page from our second pcap.įigure 7. Then we can view it through a web browser in an isolated environment as shown in Figure 7.įigure 6. We can extract the initial HTML page using the Export HTTP object menu as shown in Figure 6. When reviewing network traffic from a phishing site, we might want to see what the phishing web page looks like. Our second pcap for this tutorial, extracting-objects-from-pcap-example-02.pcap (available here) contains traffic of someone entering login credentials on a fake PayPal login page. In addition to Windows executable or other malware files, we can also extract web pages. We could also do a Google search on the SHA256 hashes to possibly find additional information. We can check the SHA256 hashes against VirusTotal to see if these files are detected as malware. It also confirms the suspected Windows executable file is indeed a Windows executable. The information above confirms our suspected Word document is in fact a Microsoft Word document. Invoice&MSO-Request.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 27 19:24:00 2019, Last Saved Time/Date: Thu Jun 27 19:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 The commands and their results from Figure 5 are listed below: Determining the file type and hash of our two objects exported from the pcap. Figure 5 shows using these commands in a CLI on a Debian-based Linux host.įigure 5. The shasum command will return the file hash, in this case the SHA256 file hash. The file command returns the type of file. In a MacBook or Linux environment, you can use a terminal window or command line interface (CLI) for the following commands: Still, we should confirm these files are what we think they are. Fortunately, the first pcap in this tutorial is a very straight-forward example. In some cases, Windows executables are intentionally labeled as a different type of file in an effort to avoid detection. Of note, the Content Type from the HTTP object list shows how the server identified the file in its HTTP response headers. Saving the suspected Windows executable file from the HTTP object list. Saving the suspected Word document from the HTTP object list.įigure 4. Select the second line with smart-faxcom as the hostname and save it as shown in Figure 4.įigure 3. Select the first line with smart-faxcom as the hostname and save it as shown in Figure 3. This menu path results in an Export HTTP object list window as shown in Figure 3. Figure 2 show this menu path in Wireshark.įigure 2. We can export these objects from the HTTP object list by using the menu path: File -> Export Objects -> HTTP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |