PAS-21: Correlate Encrypted Traffic against DNS to obtain hostname

Issue Information

Issue Type: New Feature
Priority: Major
Status: Open

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Unresolved
Affects Version: 0.1,
Target version: 0.2,

Created: 2015-11-27 13:26:35
Time Spent Working
60 minutes
60 minutes
0 minutes

This, primarily will benefit TLS connections to mailservers (as most HTTPS clients use SNI).

Currently, for a connection to a mail server, we might have the following in webtraffic.csv
1447859681.050708000                    39540   993     ""                                              ""      ...snip...

We can see, at a glance, that it's probably IMAP over SSL, but still don't have much information on what mailserver is being connected to. We know the IP, so can go off and look it up, but that's potentially a lot of work for a big capture

PAS-13 will be generating a DNS equivalent of webtraffic.csv, so once that information is available, it'd be helpful if we could look for queries (around the time of the connection above) which resulted in that address being returned.

Assuming we find something, the FQDN column can be updated to show who the user probably thought they were connecting to.

We should probably add an additional column to webtraffic.csv though, to indicate where the FQDN was obtained from:

- Host Header
- DNS traffic search

Especially for mail traffic, the last if perhaps less accurate where a mailserver handles multiple domains. You could feasibly, perform a lookup for "" and then tell your script to talk to that mailserver as if it was ""

Issue Links

Toggle State Changes