Last Updated: 2022-09-25 08:01:58 UTC
by Didier Stevens (Version: 1)
Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down).
In that case, I search historical DNS data for the IPv4 address of the server. And then connect to the server via its IPv4 address, like this:
That often fails, because the server is hosting many sites.
In that case, I add a Host header with the domain name:
This works regularly for me, because the domain has been taken down, but the server/file not (yet).
For TLS, we will get an error:
That's because we are using an IPv4 address in stead of a domain name.
In that case, I use option --insecure to ignore certificate errors:
When I download samples, I also use other options to go over a proxy/Tor and to log extra information, like response headers and a trace.