Downloading Samples From Takendown Domains

Published: 2022-09-25
Last Updated: 2022-09-25 08:01:58 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down).

In that case, I search historical DNS data for the IPv4 address of the server. And then connect to the server via its IPv4 address, like this:

That often fails, because the server is hosting many sites.

In that case, I add a Host header with the domain name:

This works regularly for me, because the domain has been taken down, but the server/file not (yet).

For TLS, we will get an error:

That's because we are using an IPv4 address in stead of a domain name.

In that case, I use option --insecure to ignore certificate errors:

When I download samples, I also use other options to go over a proxy/Tor and to log extra information, like response headers and a trace.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 comment(s)

Comments

Diary Archives