Installation and simple use of jsunpack-n

Overview

From the name of the jsunpack-n we can be as the definition, this is a JS -related tool framework. jsunpack-n is used to parse the JS script. The main functions of Jsunpack-n are as follows:

• TCP Stream reassembly
• HTTP protocol parsing
• Extract executable (-e command-line option)
• Extract all Files (-s command line option)
• Automatic decompression of GZIP traffic
• Process and standardize chunked traffic

Copyright Notice This article link:Http://blog.csdn.net/lemon_tree12138/article/details/50674588–coding-naga
　　　　　　　　　　　　　　　　　　 　　　　　　　　　　　　　　　　 -Reprint please indicate the source

Lab Environment:

Linux-related

• CentOS 6.5
• Python 2.6.6
• w3m
• TCPDump

Windows-related

• Windows 7
• WireShark

Experiment Reference:

• Malware analysis know-how and toolbox-trick 6-13: Extracting HTTP files from a message capture file using Jsunpack
• Https://www.aldeid.com/wiki/Jsunpackn

Environment Installation:

1. Download the Jsunpack-n source code from GitHub. Source Address:https://github.com/urule99/jsunpack-n

2. Local decompression

3. Use the WINSCP Transfer tool to upload the downloaded source files from local to the remote CentOS environment

4. Open the source root directory and use the notebook to open the "INSTALL" file

5. Dependent files mentioned in the installation file

6. If you find that the Pynids installation is unsuccessful, check that the Libnids is installed successfully. And you need to carry the shared parameters when compiling libnids.

7. If the Libnids is compiled with shared parameters, when the installation is still unable to complete the pynids, clean the libnids source under the so file. Re-install Pynids

steps to use:

1. Testing for instances in the source code
There are some files for testing in the./samples/directory under the source code.

2. Here we can use the following command to test:
python jsunpackn.py./samples/pdf.pcap-s-j-v

3. In the above test, we obtained 3 files, which exist in the./temp/files/directory. We check the properties of these files as follows:

4. We copy the above HTML file locally and rename it with the HTML suffix and open it using the browser. Shown below:

Note: This result is enlarged effect, the actual effect please self-experiment.

5. Copy the above PDF file to local and rename it with the suffix of the PDF and open it with Adobe Reader. Adobe opens and then quits automatically after a few seconds.

6. Now experiment with how to get Web pages through URLs. Use the following command:

python jsunpackn.py-u www.sina.com

7. Check this file property:

8. We copy this file locally and rename it with the gzip suffix, and use the compression software to open it, and save the previous file. As follows:

9. From the previous step, we obtained a file with no suffix, which was opened with notepad++ and found to be a file content similar to HTML files. Then, after extracting it, rename it with an HTML suffix.

10. Use Chrome to open the HTML file above. Shows the homepage of Sina, as follows:

Note: The reason for considering space here is that only part of the Web content is intercepted.

Verification Steps:

In the above steps, we have probably solved how to use jsunpack-n. It is now necessary to verify the operation of some networks. The validation here is divided into two parts: Linux-based and Windows-based.

Linux-based network environment

A) Install the tcpdump clutch tool

b) Use tcpdump to crawl network traffic packets. The command is as follows:tcpdump-i eth0-w sina.pcap
Note: It is important to note that the network card used in the above command is correct. This situation exists when there are more than two network cards in your system, we are not sure which network card is going through when we are currently accessing the networks. The simplest way is to close all network cards except eth0.

c) Installing the W3M Network Access tool

d) Use w3m to access Sina homepage. The command is as follows:w3m www.sina.com

e) Use Jsunpack-n to parse tcpdump crawled packet data
Python jsunpackn.py ~/temp/sina.pcap-s-j-v

Here is just a partial demonstration of the results, all the results please self-experiment.

f) Use wget to download a picture from the network. The command is as follows:
wget http://img.adbox.sina.com.cn/pic/3932012482-1450747748396.jpg

g) Use Jsunpack-n to parse tcpdump crawled packet data
python jsunpackn.py ~/temp/ Wget-image . Pcap-s-j-v

h) Check some file properties and find it is a JPEG file. As follows:

i) copy this file to a local directory and rename it as JPEG. show that it can be opened as a picture file.

Windows-based network environment

A) for operations under Windows, the Wireshark is used for packet capture operations.

b) Upload the Wireshark captured package to CentOS and use jsunpack-n for analysis. The results are as follows:

c) Although the above parsing, you can get the results of the operation, but compared to parse the generated files and Wireshark capture package generated files, we found that the file did not find changes.

Installation and simple use of jsunpack-n