0

I would like to get the sha256 digest of the downloaded files that result from a pcap capture file (files that the user downloaded during wireshark packets capture).

This is the pcap I'm using: https://github.com/pan-unit42/wireshark-tutorial-Emotet-traffic/blob/main/Example-1-2021-01-06-Emotet-infection.pcap.zip

at packet 463 (1-indexed, 462 0-indexed) there is a HTTP response with file attachment:

Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Date: Wed, 06 Jan 2021 16:41:45 GMT\r\n
Server: Apache\r\n
X-Powered-By: PHP/7.3.11\r\n
Cache-Control: no-cache, must-revalidate\r\n
Pragma: no-cache\r\n
Expires: Wed, 06 Jan 2021 16:41:45 GMT\r\n
Content-Disposition: attachment; filename="nDUrg8uFD5hl.dll"\r\n
Content-Transfer-Encoding: binary\r\n
Set-Cookie: 5ff5e84994849=1609951305; expires=Wed, 06-Jan-2021 16:42:45 GMT; Max-Age=60; path=/\r\n
Last-Modified: Wed, 06 Jan 2021 16:41:45 GMT\r\n
Keep-Alive: timeout=6, max=100\r\n
Connection: Keep-Alive\r\n
Transfer-Encoding: chunked\r\n
Content-Type: application/octet-stream\r\n
\r\n
[HTTP response 1/1]
[Time since request: 70.452158000 seconds]
[Request in frame: 45]
[Request URI: http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/]
HTTP chunked response
File Data: 192000 bytes

I wrote this code to get the file hash but it does not provide the correct hash, which should be 8e37a82ff94c03a5be3f9dd76b9dfc335a0f70efc0d8fd3dca9ca34dd287de1b

import pyshark
import hashlib

cap = pyshark.FileCapture('capture1.pcap')

print(hashlib.sha256(cap[462].http.file_data.raw_value.encode()).hexdigest())

Where am I wrong? Which packet.http property should I check to get the downloaded file?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Pietro Lodi Rizzini
  • 1
  • What do you mean by this: **file hash but it does not provide the correct hash** – Life is complex Apr 03 '22 at 13:44
  • the digest printed by the program is different from the expected one, which I obtain by hashng the file exported from Wireshark (File -> Exoprt objects -> http and selecting the file to export, associated to packet 462) – Pietro Lodi Rizzini Apr 03 '22 at 15:54
  • i think this is due to the fact that the data is chunked but I can't find the proper workaround. – Pietro Lodi Rizzini Apr 03 '22 at 15:58
  • So you are doing 2 separate hashing operations of 2 different data structures, which produce difference hashes. Could you please provide the code for the other hashing operations and a link to the file that you are hashing? – Life is complex Apr 03 '22 at 16:00
  • So I see that the file in question is for a known piece of malware. How are you downloading this file to check the hash? – Life is complex Apr 03 '22 at 16:33
  • I'm following this article; https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/ and I've downloaded the 1st pcap suggested: I haven't produced it myself, and I've seen the webpage from which the file was downloaded does not exist anymore. I am not doing the other hashing operation by code, I'm just exporting the file from wireshark and hash it with the sha256sum command in linux. The hash obtained in this way matches the one I can find in the article, but not the one obtained with python – Pietro Lodi Rizzini Apr 03 '22 at 16:59
  • What I'm trying to do is just a script that given a pcap file automatically detects if this malware was downloaded by comparing the hashes of every downloaded file with the target one – Pietro Lodi Rizzini Apr 03 '22 at 16:59
  • So are you trying to detect the hostile payload (file) in the stream without downloading the file itself? – Life is complex Apr 03 '22 at 18:52
  • yes, I don't have to download the file because it is already in the pcap capture – Pietro Lodi Rizzini Apr 03 '22 at 19:03

1 Answers1

0

solved with the following code:

print(hashlib.sha256(
bytearray.fromhex(cap[462].http.file_data.raw_value)
).hexdigest())

which provides the correct file hash

Pietro Lodi Rizzini
  • 1