Scribd
Upload
188 views

12.2.2.10 Lab - Extract An Executable From A PCAP

The document describes a lab where the student will analyze a pre-captured packet capture file to extract an executable file. The student is instructed to open the packet capture file in Wireshark, analyze the network traffic, and use Wireshark's export features to retrieve the executable file downloaded during the capture. By following the TCP stream, the student discovers that the file is actually a Windows executable called notepad.exe rather than the malware it was renamed as.

Uploaded by

Melissa Fisk
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
188 views

12.2.2.10 Lab - Extract An Executable From A PCAP

The document describes a lab where the student will analyze a pre-captured packet capture file to extract an executable file. The student is instructed to open the packet capture file in Wireshark, analyze the network traffic, and use Wireshark's export features to retrieve the executable file downloaded during the capture. By following the TCP stream, the student discovers that the file is actually a Windows executable called notepad.exe rather than the malware it was renamed as.

Uploaded by

Melissa Fisk
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Lab – Extract an Executable from a PCAP

Objectives
Part 1: Prepare the Virtual Environment
Part 2: Analyze Pre-Captured Logs and Traffic Captures

Background / Scenario
Looking at logs is very important but it is also important to understand how network transactions happen at the
packet level.
In this lab, you will analyze the traffic in a previously captured pcap file and extract an executable from the file.

Required Resources
• CyberOps Workstation VM
• Internet connection

Part 1: Prepare the Virtual Environment


a. Launch Oracle VirtualBox. Right-click CyberOps Workstion > Settings > Network. Besides Attached To,
select Bridged Adapter, if necessary, and click OK.
b. Log in to the CyberOps Workstation VM (username: analyst / password: cyberops), open a terminal, and
run the configure_as_dhcp.sh script.
[analyst@secOps ~]$ sudo ./lab.support.files/scripts/configure_as_dhcp.sh
[sudo] password for analyst:
[analyst@secOps ~]$

Part 2: Analyze Pre-Captured Logs and Traffic Captures


In Part 2, you will work with the nimda.download.pcap file. Captured in a previous lab,
nimda.download.pcap contains the packets related to the download of the Nimda malware. Your version of
the file, if you created it in the previous lab and did not reimport your CyberOps Workstation VM, is stored in
the /home/analyst directory. However, a copy of that file is also stored in the CyberOps Workstation VM,
under the /home/analyst/lab.support.files/pcaps directory so that you can complete this lab regardless of
whether you completed the previous lab or not. For consistency of output, the lab will use the stored version in
the pcaps directory.
While tcpdump can be used to analyze captured files, Wireshark’s graphical interface makes the task much
easier. It is also important to note that tcpdump and Wireshark share the same file format for packet
captures; therefore, PCAP files created by one tool can be opened by the other.
a. Change directory to the lab.support.files/pcaps folder, and get a listing of files using the ls –l command.
[analyst@secOps ~]$ cd lab.support.files/pcaps
[analyst@secOps pcaps]$ ls -l
total 7460
-rw-r--r-- 1 analyst analyst 3510551 Aug 7 15:25 lab_prep.pcap

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 8 www.netacad.com
Lab – Extract an Executable from a PCAP
-rw-r--r-- 1 analyst analyst 371462 Jun 22 10:47 nimda.download.pcap
-rw-r--r-- 1 analyst analyst 3750153 May 25 11:10 wannacry_download_pcap.pcap
[analyst@secOps pcaps]$
b. Issue the command below to open the nimda.download.pcap file in Wireshark.
[analyst@secOps pcaps]$ wireshark-gtk nimda.download.pcap
c. The nimda.download.pcap file contains the packet capture related to the malware download performed
in a previous lab. The pcap contains all the packets sent and received while tcpdump was running.
Select the fourth packet in the capture and expand the Hypertext Transfer Protocol to display as shown
below.

d. Packets one through three are the TCP handshake. The fourth packet shows the request for the malware
file. Confirming what was already known, the request was done over HTTP, sent as a GET request.
e. Because HTTP runs over TCP, it is possible to use Wireshark’s Follow TCP Stream feature to rebuild
the TCP transaction. Select the first TCP packet in the capture, a SYN packet. Right-click it and choose
Follow TCP Stream.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 8 www.netacad.com
Lab – Extract an Executable from a PCAP

f. Wireshark displays another window containing the details for the entire selected TCP flow.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 8 www.netacad.com
Lab – Extract an Executable from a PCAP

What are all those symbols shown in the Follow TCP Stream window? Are they connection noise? Data?
Explain.
The symbols are the content of the download. Wireshark doesn’t know how to represent binary so it
shows this.
There are a few readable words spread among the symbols. Why are they there?
Strings in the executable code.
Challenge Question: Despite the W32.Nimda.Amm.exe name, this executable is not the famous worm.
For security reasons, this is another executable file that was renamed as W32.Nimda.Amm.exe. Using
the word fragments displayed by Wireshark’s Follow TCP Stream window, can you tell what executable
this really is?
Yes

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 8 www.netacad.com
Lab – Extract an Executable from a PCAP
g. Click Close in the Follow TCP Stream window to return to the Wireshark nimda.download.pcap file.

Part 3: Extract Downloaded Files From PCAPS


Because capture files contain all packets related to traffic, a PCAP of a download can be used to retrieve a
previously downloaded file. Follow the steps below to use Wireshark to retrieve the Nimda malware.
a. In that fourth packet in the nimda.download.pcap file, notice that the HTTP GET request was generated
from 209.165.200.235 to 209.165.202.133. The Info column also shows this is in fact the GET request for
the file.

b. With the GET request packet selected, navigate to File > Export Objects > HTTP, from Wireshark’s
menu.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 8 www.netacad.com
Lab – Extract an Executable from a PCAP

c. Wireshark will display all HTTP objects present in the TCP flow that contains the GET request. In this
case, only the W32.Nimda.Amm.exe file is present in the capture. It will take a few seconds before the
file is displayed.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 8 www.netacad.com
Lab – Extract an Executable from a PCAP

Why is W32.Nimda.Amm.exe the only file in the capture?


The capture was started right before the download and stopped right after. There was no other traffic
while it was capturing that.
d. In the HTTP object list window, select the W32.Nimda.Amm.exe file and click Save As at the bottom of
the screen.
e. Click the left arrow until you see the Home button. Click Home and then click the analyst folder (not the
analyst tab). Save the file there.
f. Return to your terminal window and ensure the file was saved. Change directory to the /home/analyst
folder and list the files in the folder using the ls -l command.
[analyst@secOps pcaps]$ cd /home/analyst
[analyst@secOps ~]$ ls –l

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 8 www.netacad.com
Lab – Extract an Executable from a PCAP

total 364 drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop


drwx------ 3 analyst analyst 4096 May 25 11:16 Downloads drwxr-
xr-x 2 analyst analyst 4096 May 22 08:39 extra drwxr-xr-x 8
analyst analyst 4096 Jun 22 11:38 lab.support.files drwxr-xr-x 2
analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 345088 Jun 22 15:12 W32.Nimda.Amm.exe [analyst@secOps
~]$

Was the file saved? Yes


g. The file command gives information on the file type. Use the file command to learn a little more about the
malware, as show below:
[analyst@secOps ~]$ file W32.Nimda.Amm.exe
W32.Nimda.Amm.exe: PE32+ executable (console) x86-64, for MS Windows [analyst@secOps
~]$

As seen above, W32.Nimda.Amm.exe is indeed a Windows executable file.


In the malware analysis process, what would be a probable next step for a security analyst?

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 8 www.netacad.com

You might also like