irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
3a8e5d90efaa361e0ef2e1514807313a9c1ab7ef
docker_file_analysis/data/generated/workflows/network-interception-workflow.txt
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

90 lines
2.9 KiB
Plaintext
Raw Blame History

============================================================
Network Traffic Interception
============================================================
Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception.
Related FOR610 Labs: 1.3, 1.7, 1.8
────────────────────────────────────────────────────────────
Step 1: DNS Interception
Tools: fakedns
Start fakedns to resolve ALL domains to REMnux IP.
Verify: nslookup any-domain.com should return your
REMnux IP.
$ fakedns
Step 2: Service Emulation
Tools: inetsim, fakenet-ng, httpd
Choose emulator based on needed protocols. INetSim:
HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-
NG: similar but different engine. httpd: simple HTTP
only.
$ inetsim
$ fakenet
$ httpd
Step 3: TLS/HTTPS Interception (if needed)
Tools: mitmproxy, polarproxy
For HTTPS C2: mitmproxy as transparent proxy, or
PolarProxy for TLS decryption. Install proxy CA cert
on analysis machine if needed.
$ mitmproxy
$ PolarProxy -p 443,80 -w captured.pcap
Step 4: Packet Capture
Tools: wireshark, tcpdump
Start capture before executing malware. Filter: not
arp and not broadcast. Save to PCAP for later
analysis.
$ wireshark
$ tcpdump -i eth0 -w capture.pcap
Step 5: Execute & Observe
Run malware on analysis VM. Watch for: DNS queries
(domain names), HTTP requests (URLs, user-agents), raw
TCP connections (IP:port).
Step 6: Traffic Analysis
Tools: wireshark, tshark, ngrep, tcpflow
Follow TCP streams for full request/response. Use
ngrep for pattern search across packets. Use tcpflow
to extract individual streams. Identify beaconing
(regular intervals).
$ wireshark
$ tshark -r capture.pcap
$ ngrep -I <capture.pcap> 'password'
$ tcpflow -r <capture.pcap> -o output/
Step 7: File Extraction
Tools: tcpxtract, networkminer
Carve files from PCAP: downloaded payloads,
exfiltrated data, second-stage malware. NetworkMiner
does this automatically.
$ tcpxtract -f <capture.pcap> -o output/
$ NetworkMiner --pcap <capture.pcap>
Step 8: IP-Based Redirection (if needed)
Tools: iptables
If malware uses hardcoded IPs (no DNS): iptables -t
nat -A PREROUTING -i eth0 -j REDIRECT. This redirects
ALL traffic to local services.
$ iptables -t nat -A PREROUTING -i ens32 -j REDIRECT
Step 9: Document Network IOCs
Record: C2 domains/IPs, URI paths, user-agent strings,
beacon intervals, downloaded file hashes, TLS
certificate details.
────────────────────────────────────────────────────────────
Tip: 'fhelp cheat <tool>' for full examples
'Ctrl+G' for interactive cheatsheet browser
Reference in New Issue View Git Blame Copy Permalink