Fun with HTTrack

Document created by justin.kelso@hpe.com on Aug 31, 2010
Version 1Show Document
  • View in full screen mode

(Sorry, I uploaded this with an old user account, let's try it again)

 

This is just a quick guide for any of you that care to try it out.

 

The  basic use case for this guide is for those organizations that do not /  cannot gather pcaps for web traffic and do not have a tool like  netwitness that allow them to actually view images that users are  looking at.

 

Generally,  analysts would use this technique when they wanted to know what images a  particular IP is viewing (yes, think pr0n investigation here) and the  analyst wanted to gather an pour through those images in bulk.

 

Overall,  I will create a report in arcsight that will pull the url of all of the  images a certain IP has accessed. The report will list the url of them  all in csv format. I will feed the list into httrack and it will grab me  a copy of them all and throw them into a directory on my box and I can  browse them as thumbnails or filmstrip or whatever you like through  windows.

 

Creating the report:

You  want the report to grab you images that a certain IP is looking at. Try  using something like the filter shown below to build your report query:

 

1.JPG

 

https://protect724.arcsight.com/servlet/JiveServlet/downloadImage/1265/1.JPG

As  you can see the conditions here will grab web requests where the  request is for a jpg, gif, or png and the filesize is over 20000 bytes  (this is done so that you don’t get any of the tiny useless images that  are on webpages nowadays, this should help get you only images of a  reasonable size).

 

When used in a report it will give you a csv list of all images that a user grabbed that match that filter:

 

https://protect724.arcsight.com/servlet/JiveServlet/downloadImage/1268/4.JPG4.JPG

 

Highlight some or all of the images and do a ‘copy’:

 

https://protect724.arcsight.com/servlet/JiveServlet/downloadImage/1269/5.JPG5.JPG

 

Create a new project in httrack:

 

https://protect724.arcsight.com/servlet/JiveServlet/downloadImage/1270/6.JPG6.JPG

 

Select the ‘Get separated files’ option and paste the urls into the box:

 

https://protect724.arcsight.com/servlet/JiveServlet/downloadImage/1271/7.JPG7.JPG

 

Finish the project and run it:

 

https://protect724.arcsight.com/servlet/JiveServlet/downloadImage/1272/8.JPG8.JPG

 

It  will grab a copy of all of the images and put them in the folder you  specified. Now you can browse the folder and see what the user was  looking at:

 

https://protect724.arcsight.com/servlet/JiveServlet/downloadImage/1273/9.JPG9.JPG

Outcomes