One of our readers, Gebhard, submitted a pointer to a tool today, released by Talos, that I wasn't familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap. The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end. I took a relatively benign phishing pdf (it had a link in it) and used it for my test. The tool doesn't have any documentation until you compile it and run it. Here are your options:
I ran a few test scenarios with it. One for HTTP and one for SMTP. For the HTTP, I used the following command line and specified a file name:
./file2pcap -mh -p 45678:8443 Wire_transfer_Notification.pdf -o httpout.pcap
It shows you if its working verses just returning a command prompt:
"Writing to httpout.pcap"
You can see by the packets, it matches the ports I told it to use:
Here is what it looks like when you follow the TCP stream:
For the SMTP I ran the following command:
./file2pcap -ms Wire_transfer_Notification.pdf -o smptout.pcap
Here is the data from following the TCP stream:
I played with several of the options. You can also run more than one protocol in a single command line (you can't specify a file name running multiple modes, it will generate them for you):
./file2pcap -msh Wire_transfer_Notification.pdf
Writing to Wire_transfer_Notification.pdf-smtp.pcap
Writing to Wire_transfer_Notification.pdf-http-get.pcap
This is a very handy tool to have when you need to generate packets quickly to write content for file transfer detection. Its definately one I'll add to my toolkit!
Comments