Add FOR610 tool/workflow knowledge base and data pipeline
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
@@ -0,0 +1,89 @@
|
||||
============================================================
|
||||
Network Traffic Interception
|
||||
============================================================
|
||||
|
||||
Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception.
|
||||
|
||||
Related FOR610 Labs: 1.3, 1.7, 1.8
|
||||
|
||||
────────────────────────────────────────────────────────────
|
||||
|
||||
Step 1: DNS Interception
|
||||
Tools: fakedns
|
||||
Start fakedns to resolve ALL domains to REMnux IP.
|
||||
Verify: nslookup any-domain.com should return your
|
||||
REMnux IP.
|
||||
|
||||
$ fakedns
|
||||
|
||||
Step 2: Service Emulation
|
||||
Tools: inetsim, fakenet-ng, httpd
|
||||
Choose emulator based on needed protocols. INetSim:
|
||||
HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-
|
||||
NG: similar but different engine. httpd: simple HTTP
|
||||
only.
|
||||
|
||||
$ inetsim
|
||||
$ fakenet
|
||||
$ httpd
|
||||
|
||||
Step 3: TLS/HTTPS Interception (if needed)
|
||||
Tools: mitmproxy, polarproxy
|
||||
For HTTPS C2: mitmproxy as transparent proxy, or
|
||||
PolarProxy for TLS decryption. Install proxy CA cert
|
||||
on analysis machine if needed.
|
||||
|
||||
$ mitmproxy
|
||||
$ PolarProxy -p 443,80 -w captured.pcap
|
||||
|
||||
Step 4: Packet Capture
|
||||
Tools: wireshark, tcpdump
|
||||
Start capture before executing malware. Filter: not
|
||||
arp and not broadcast. Save to PCAP for later
|
||||
analysis.
|
||||
|
||||
$ wireshark
|
||||
$ tcpdump -i eth0 -w capture.pcap
|
||||
|
||||
Step 5: Execute & Observe
|
||||
Run malware on analysis VM. Watch for: DNS queries
|
||||
(domain names), HTTP requests (URLs, user-agents), raw
|
||||
TCP connections (IP:port).
|
||||
|
||||
Step 6: Traffic Analysis
|
||||
Tools: wireshark, tshark, ngrep, tcpflow
|
||||
Follow TCP streams for full request/response. Use
|
||||
ngrep for pattern search across packets. Use tcpflow
|
||||
to extract individual streams. Identify beaconing
|
||||
(regular intervals).
|
||||
|
||||
$ wireshark
|
||||
$ tshark -r capture.pcap
|
||||
$ ngrep -I <capture.pcap> 'password'
|
||||
$ tcpflow -r <capture.pcap> -o output/
|
||||
|
||||
Step 7: File Extraction
|
||||
Tools: tcpxtract, networkminer
|
||||
Carve files from PCAP: downloaded payloads,
|
||||
exfiltrated data, second-stage malware. NetworkMiner
|
||||
does this automatically.
|
||||
|
||||
$ tcpxtract -f <capture.pcap> -o output/
|
||||
$ NetworkMiner --pcap <capture.pcap>
|
||||
|
||||
Step 8: IP-Based Redirection (if needed)
|
||||
Tools: iptables
|
||||
If malware uses hardcoded IPs (no DNS): iptables -t
|
||||
nat -A PREROUTING -i eth0 -j REDIRECT. This redirects
|
||||
ALL traffic to local services.
|
||||
|
||||
$ iptables -t nat -A PREROUTING -i ens32 -j REDIRECT
|
||||
|
||||
Step 9: Document Network IOCs
|
||||
Record: C2 domains/IPs, URI paths, user-agent strings,
|
||||
beacon intervals, downloaded file hashes, TLS
|
||||
certificate details.
|
||||
|
||||
────────────────────────────────────────────────────────────
|
||||
Tip: 'fhelp cheat <tool>' for full examples
|
||||
'Ctrl+G' for interactive cheatsheet browser
|
||||
Reference in New Issue
Block a user