Technical issue on client side

[passionateIntern]

Good afternoon, I have used pktintel against multiple known bad PCAPs from malware traffic analysis website and getting nothing malicious reported back to me. Also, within the ip_threat_intel, IPv4_session files I am not seeing any IPs downloaded. Here is my output when pktintel is ran. Could you please help me out.

] Checking your permission ... [] Running as Student123 with UID 0

[] Press CTRL+C to exit
[] Checking system platform ... Running on Linux. Good Start! [] Looking for backup directory 'pkt_backup' in the current folder Found backup directory [] Looking for config file ... Config file "./pktIntel.conf" found! [] Validating configuration file ... Main section found! IP section found! DOMAIN section found! URL section found! Monitored Ports section found ... Configuration file successfully validated! [] Verifying PCAP directory exists in MAIN section... PCAP directory reported as "/tmp/" Counting the number of files with .cap, .pcap or .pcapng extension Number of PCAPs found: 7 [] Preparing to perform system cleanup System cleanup completed! [] Beginning IP Threat Intelligence ... Downloading IP blocklist from: http://rules.emergingthreats.net/blockrules/compromised-ips.txt Successfully downloaded IP Threat Intelligence Downloading IP blocklist from: http://www.malwaredomainlist.com/hostslist/ip.txt Successfully downloaded IP Threat Intelligence Downloading IP blocklist from: http://myip.ms/files/blacklist/csf/latest_blacklist.txt Successfully downloaded IP Threat Intelligence Downloading IP blocklist from: http://www.spamhaus.org/drop/drop.txt Successfully downloaded IP Threat Intelligence Downloading IP blocklist from: https://www.spamhaus.org/drop/edrop.txt Looks like an issues was encountered. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123) Downloading IP blocklist from: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt Successfully downloaded IP Threat Intelligence Downloading IP blocklist from: http://talosintel.com/feeds/ip-filter.blf [] Removing duplicates from the downloaded IPs ... [] There are currently [4871] unique suspicious IPs downloaded! [*] Reading PCAP files ... Looking for TCP packets where ONLY the SYN flag is set. Also looking at UDP and ICMP packets By looking at the SYN flag, we are assuming the the 3-way handshake has started

[] Note I may take a while so work with me on this ... [] Comparing downloaded IPs with those in your PCAPs ... [] Lucky you! Nothing malicious being reported at this time!
[] Do try me again soon. I may have one or more interesting IP next time. I promise :-)

[] Closing the file ./ip_threat_intel_2021-06-12T09-55-53.txt [] Closing the file ./IPv4_session_2021-06-12T09-55-53.txt [] Closing the file ./IPv6_session_2021-06-12T09-55-53.txt [] Completed IP Threat Intelligence Lookup!

[passionateIntern]

I have tried combination of network generated on my host and also from known malicious PCAPs from malware traffic domain analysis dot net. Below are samples that I have used against.

[] Reading PCAP: /tmp/2013-12-19-Neutrino-EK-traffic.pcap [] Reading PCAP: /tmp/2018-08-24-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612101220.pcap [] Reading PCAP: /tmp/2019-11-12-traffic-analysis-exercise.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612094536.pcap [] Reading PCAP: /tmp/2018-08-22-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612103559.pcap [] Reading PCAP: /tmp/2021-06-03-part-01-Qakbot-infection-with-Cobalt-Strike.pcap [] Reading PCAP: /tmp/2021-02-24-Qakbot-infection-with-spambot-traffic.pcap [] Reading PCAP: /tmp/2013-12-19-Neutrino-EK-traffic.pcap [] Reading PCAP: /tmp/2018-08-24-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612101220.pcap [] Reading PCAP: /tmp/2019-11-12-traffic-analysis-exercise.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612094536.pcap [] Reading PCAP: /tmp/2018-08-22-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612103559.pcap [] Reading PCAP: /tmp/2021-06-03-part-01-Qakbot-infection-with-Cobalt-Strike.pcap [] Reading PCAP: /tmp/2021-02-24-Qakbot-infection-with-spambot-traffic.pcap [] Reading PCAP: /tmp/2013-12-19-Neutrino-EK-traffic.pcap [] Reading PCAP: /tmp/2018-08-24-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612101220.pcap [] Reading PCAP: /tmp/2019-11-12-traffic-analysis-exercise.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612094536.pcap [] Reading PCAP: /tmp/2018-08-22-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap [] Reading PCAP: /tmp/securitynik_00001_20210612103559.pcap [] Reading PCAP: /tmp/2021-06-03-part-01-Qakbot-infection-with-Cobalt-Strike.pcap [*] Reading PCAP: /tmp/2021-02-24-Qakbot-infection-with-spambot-traffic.pcap

[SecurityNik]

Hello CrazyIntern, Do remember, the effectiveness of this tool is highly dependent on the sources you are receiving the threat intel data from. With that said, maybe the malicious IPs/Domains/URLs in the PCAPs are not actually on any of the list.

1. Locate one or more of the malicious IPs in your PCAP file(s) i. Let's say one of those IPs is 10.0.0.1
2. Modify the "pktIntel.py" file by doing the following: i. In the function "def ip_intel_download()" # line 179 After line 231 add a line "malicious_ip.append('10.0.0.1')"
3. Run the script again and you should see the "10.0.0.1" being reported as malicious.

Here is me doing the same thing with another IP. └─# ncat www.securitynik.com 80 --verbose

The above would not report anything malicious as shown by: └─# ./pktIntel.py --ip ... [*] Lucky you! Nothing malicious being reported at this time!

I then take the first packet 172.217.165.19 from the connection ... ┌──(root💀securitynik)-[~/Desktop/pktIntel] └─# tcpdump -nnt -r /tmp/securitynik.pcap -c 1 reading from file /tmp/securitynik.pcap, link-type LINUX_SLL2 (Linux cooked v2), eth1 Out IP 10.0.3.15.46234 > 172.217.165.19.80: Flags [S], seq 1242642291, win 64240, options [mss 1460,sackOK,TS val 269776336 ecr 0,nop,wscale 7], length 0

... and appended it to the pktIntel.py script at line 232 as following: └─# cat pktIntel.py -n | grep 232 232 malicious_ips.append('172.217.165.19')

After appending above, here is what the output looks like ... [*] Comparing downloaded IPs with those in your PCAPs ...

----- 1 SUSPICIOUS IPs DETECTED --------- ['172.217.165.19']

You can also do what is recommended above with the domains and or URLs.

Good luck and let me know how it goes. Do remember, the effectiveness of this tool is highly dependent on the intelligence fed to it.

P.S. Should I add any new features?

[passionateIntern]

Thank you for being so awesome. I really enjoyed watching your demo on youtube and learned alot this morning from you. Ok, I would like to check again tonight and let you know how it goes meanwhile.

If you were to ask me, I would definitely would to see threat intel associated with APT actors. There are number of APT IOC lists from vendors as public indicators.

Thank you again and looking forward to try out!

[passionateIntern]

Thank you!