In this episode of SecuraTip we take a look at SpiderFoot v2 (http://www.spiderfoot.net/) by Steve Micallef. SpiderFoot is an Open Source Footprinting tool that runs on both Linux and Windows.
In this episode of SecuraTip, we demo the use of tekCollect. tekCollect is a python tool written by @TekDefense, which is useful for scraping data (IP addresses, MD5 hashes, SSNs, Emails, etc) from URLs and files. This episode highlights several use cases for the tool, while also exploring advanced features such as custom regex scrapes. To download tekCollect goto: http://www.tekdefense.com/tekcollect/
Noriben, which acts as an intelligent wrapper for procmon, will monitor process activity for files, services, registry, and network activity. This awesome tool takes things a step further by filtering out noise so that the analyst can focus on the details that matter!
In the first episode of SecuraTip, I showed viewers how to extract files from pcaps using a very manual method, and using an automated method with NetworkMiner. The purpose of this was to show the drastic difference between the two methods.
As Doug Burks and CIDSecurity mentioned on Twitter and YouTube there is an easier method for pulling out files from pcaps using Wireshark verse the manual process I showed. Though there is a major limitation that I will speak more of at the end.
Wireshark HTTP object export options
1. Open the pcap with Wireshark.
2. Choose File –> Export Objects –> HTTP
*While I chose HTTP for this, you may need to choose a different option like SMB to correspond with the type of traffic you are dealing with.
3. You will now be presented a list of files that you can save out directly from the HTTP sessions.
4. Simply press Save As and you know have the file.
Now as you can tell if you have watched the SecuraTip episode, there are some limitations here. For instance we do not see the files 1.txt and 2.txt that we saw when looking at the PCAP with NetworkMiner. The reason for this is that WireShark is just pulling files from HTTP Sessions. 1.txt and 2.txt were in the same pcap but were transferred via FTP instead of HTTP. As far as I know there is not automated way to pull FTP files transferred directly in Wireshark. Please correct me if I am wrong there. NetworkMiner doesn’t care what protocol or service was used, if the file was transferred in the clear, then it will try to extract it.
As we all know, there are many ways to attack any problem in IT. Do you have a different technique other than what is described here or in the video? Let us know.
In the first episode of SecuraTip we learn how to extract files from a pcap using NetworkMiner.
Additionally this episode also shows some of the other features of NetworkMiner, and the manual process of carving files from a pcap using Wireshark.
We’ve included both YouTube and MP4 formats.
Thanks to @TekDefense