Searching for a Too...
 
Notifications
Clear all

Searching for a Tool...

3 Posts
3 Users
0 Likes
349 Views
(@jhainly)
Posts: 1
New Member
Topic starter
 

I'm looking for a tool to assist in a forensic investigation.

Since some malware can recognize pcap software on a host, and refuse to run because of it, I'd like to create a forensics machine with 2 NIC's. I'll connect one NIC to the internet, and the other to the infected host machine. My goal is to let the forensics machine perform a pcap on traffic going between the two NICs, but avoid the forensics machine from having it's own IP address. This way, all traffic will be monitored and the malware will not find pcap software on the infected machine.

Is anyone familiar with a tool that has this capability? If not, how I can set this up in my own lab using WireShark?

 
Posted : 30/06/2015 7:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

… I'd like to create a forensics machine with 2 NIC's. I'll connect one NIC to the internet, and the other to the infected host machine. My goal is to let the forensics machine perform a pcap on traffic going between the two NICs, but avoid the forensics machine from having it's own IP address. This way, all traffic will be monitored and the malware will not find pcap software on the infected machine.

I am not sure to get it.

What you are describing is a router, essentially used as an IPless 😯 gateway. ?

Maybe you want a machine to perform something similar to a "in house" MITM (man in the middle) attack?
I.e. something like ettercap
https://en.wikipedia.org/wiki/Ettercap_(software)
https://ettercap.github.io/ettercap/

http//openmaniak.com/ettercap.php

Before

after

jaclaz

 
Posted : 30/06/2015 11:21 pm
(@athulin)
Posts: 1156
Noble Member
 

I'd like to create a forensics machine with 2 NIC's. I'll connect one NIC to the internet, and the other to the infected host machine. My goal is to let the forensics machine perform a pcap on traffic going between the two NICs, but avoid the forensics machine from having it's own IP address. This way, all traffic will be monitored and the malware will not find pcap software on the infected machine.

Get a monitoring switch. I have a Netgear ProSafe G5105E, which is small enough to add to an incident bag. It's just like a normal switch, but one of the ports can be configured to aggregate all traffic sent over the other ports – perfect for connecting a sniffer to. Only downside is that the software for configuration runs on Windows only (or at least did so when I checked it out last time).

Or … if you can find an old-style hub, it will do just as well, as they repeated everything on all ports, and didn't interfere with traffic at all.

Unless you run into congestion or packet loss, of course.

 
Posted : 01/07/2015 6:50 pm
Share: