Downloading Samples From Takendown Domains
Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down).
In that case, I search historical DNS data for the IPv4 address of the server. And then connect to the server via its IPv4 address, like this:
That often fails, because the server is hosting many sites.
In that case, I add a Host header with the domain name:
This works regularly for me, because the domain has been taken down, but the server/file not (yet).
For TLS, we will get an error:
That's because we are using an IPv4 address in stead of a domain name.
In that case, I use option --insecure to ignore certificate errors:
When I download samples, I also use other options to go over a proxy/Tor and to log extra information, like response headers and a trace.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
Comments
curl --resolve example.com:443:93.184.216.34 https://example.com.
Anonymous
Sep 26th 2022
2 years ago
Anonymous
Oct 3rd 2022
2 years ago
At the BruCON conference last week, someone pointed me to this:
https://everything.curl.dev/usingcurl/connections/name
That blog post mentions editing the host file, like you suggest.
Adding a Host header, what I talked about in this diary entry, is another topic.
And then there's a solution mentioned in that blog post, that I didn't know about: the resolve option.
I'll write about this in an upcoming diary entry.
Anonymous
Oct 4th 2022
2 years ago
curl --resolve example.com:443:93.184.216.34 https://example.com.[/quote]
Thanks for this info.
There have been issues with comments since the new ISC site was deployed, and I didn't see your comment until today. Hence my other reply and blog post, without crediting you. Sorry.
Anonymous
Oct 22nd 2022
1 year ago