The configuration file contains whitelisted blocks, and the script would extract all unique IPs and only prints those that are not whitelisted. I started with a small Python script that would read the PCAP file and a configuration file. That makes it possible to whitelist the whole IP block. So, what is that Naver thing? After a bit of searching, it turned out that this Korean company owns the popular LINE instant messaging application, which is installed on the phone. While the quality of this registry is dependent on how strict the registrar is, I thought I would trust it as a first approximation. The other source, the WHOIS registry, is a bit more useful. However, as we will discuss later, it was not obvious to me at that time if that meant that it hosted a Google service, or if it was a server in their customer cloud. Reverse DNS tells us it is, most likely a Google service. For example, one such captured IP was 172.217.169.165. I quickly gave it a try and it turned out that all answers where either failing (because no name was associated with the IP, or because the query timed out) or unhelpful. Reverse DNS look-ups are controlled by the owner of a given IP block, so they are potentially misleading. First try at automated classificationīut how to classify IP addresses? By just having an IP address, there are two sources of information that are easy to query: reverse DNS look-ups and the WHOIS registry. In my capture, there were hundreds of them. It turns out that even with a brand new phone, with no extra applications installed, the bundled applications alone will contact tens of distinct IP addresses. In order to do that, I used tcpdump and a few command line utilities to find all unique IPs. I decided to list all unique IP addresses that have been contacted by the phone, and to sort them between expected, suspicious and malicious. In order to make sure I captured all traffic, I did turn off cellular data, hoping that if a malware was present, it would not wait to be on cellular data to communicate. It amounted to a few hundreds of megabytes stored in a PCAP file. I started by capturing all WiFi traffic for a few days on the wireless router. I recently had to analyze traffic from and to an Android that was suspected to having been compromised.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |