In recent years, the Internet has experienced a large number of “drive-by” attacks, mostly by exploit kits. Exploit kits are a type of malicious toolkit which exploit security holes, such as insecure or outdated software applications, for the purpose of spreading malware. When a victim visits a website whose server has been compromised, he or she is redirected through various intermediary servers until they land at the server hosting the exploit kit. From there, the exploit kit can gather information from the victim’s system to determine which exploit to use, and then download and execute the malware on the victim’s computer.
The complication for the security researcher is that, in most cases, the lifespan of an exploit kit landing page is only a few hours, making it difficult to analyze the exact method of attack. Even if the researcher is lucky enough to find an ongoing attack, they only have a limited time to explore the server, and most of the time, will only be left with a PCAP file.
CapTipper is a Python tool independently developed by one of our researchers, Omri Herscovici, which is used to analyze, explore and revive HTTP malicious traffic. It provides the security researcher with easy access to the files and understanding of the network flow, and is useful for researching exploits, as well as various pre-conditions, versions, obfuscations, plugins and shellcodes.
CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
CapTipper allows the researcher to analyze the behavior of the attack, even after the original server is already “dead.” He can test the effect on a client’s plugins version, exploit mitigation tools, or get a clearer picture on what exactly would have happened to a victim machine.
When CapTipper is fed a drive-by traffic capture, it displays the request URIs that were sent as well as the meta-data of the responses. The user can then browse to http://127.0.0.1/[URI] and receive the response sent back to the browser.
CapTipper is capable of producing informative HTML reports.
A basic principle in CapTipper’s development is to gather as many useful tools and functions as possible under its umbrella, thereby providing the researcher with more time to spend in actual research. CapTipper v0.2, which introduces many new features, was released at the Black Hat Asia 2015 Arsenal.
CapTipper is open-source.
For further reading and analysis examples, please visit the GitHub project: