Downloading Samples From Takendown Domains

Published: 2022-09-25. Last Updated: 2022-09-25 08:01:58 UTC
by Didier Stevens (Version: 1)
4 comment(s)

Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down).

In that case, I search historical DNS data for the IPv4 address of the server. And then connect to the server via its IPv4 address, like this:

That often fails, because the server is hosting many sites.

In that case, I add a Host header with the domain name:

This works regularly for me, because the domain has been taken down, but the server/file not (yet).

For TLS, we will get an error:

That's because we are using an IPv4 address in stead of a domain name.

In that case, I use option --insecure to ignore certificate errors:

When I download samples, I also use other options to go over a proxy/Tor and to log extra information, like response headers and a trace.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

4 comment(s)

Comments

The more modern way to work around DNS issues with curl is to use --resolve instead of -H Host:... , e.g.

curl --resolve example.com:443:93.184.216.34 https://example.com.
Why not add the malware domain name to the local hosts file ? Then everything will work.
Because that doesn't work for some of my uses cases. Like when I use option --socks5-hostname. (Well, thinking about this, I should actually test this).

At the BruCON conference last week, someone pointed me to this:
https://everything.curl.dev/usingcurl/connections/name

That blog post mentions editing the host file, like you suggest.
Adding a Host header, what I talked about in this diary entry, is another topic.
And then there's a solution mentioned in that blog post, that I didn't know about: the resolve option.
I'll write about this in an upcoming diary entry.
[quote=comment#44600]The more modern way to work around DNS issues with curl is to use --resolve instead of -H Host:... , e.g.

curl --resolve example.com:443:93.184.216.34 https://example.com.[/quote]

Thanks for this info.
There have been issues with comments since the new ISC site was deployed, and I didn't see your comment until today. Hence my other reply and blog post, without crediting you. Sorry.

Diary Archives