.

Recreating files from packet capture

<<

Vedder

Newbie
Newbie

Posts: 26

Joined: Sun Feb 15, 2009 5:18 am

Post Tue Jul 28, 2009 10:26 am

Recreating files from packet capture

Hi

Can anyone help me recreate files from a packet capture.

I have found a good page on hex headers (http://www.garykessler.net/library/file_sigs.html), and I know that there are at least two bmp images and one zip file.

I have tried copying them all to notepad, then loading them up in a hex editor, and saving them as the required file type, but if I try opening them up in paint, or winzip, I just get a "file is corrupt" message.

Is there a step I am missing?
C|EH, MCSE, MCSA: Security, Security+, Network+, A+
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jul 28, 2009 10:44 am

Re: Recreating files from packet capture

CISSP, MCSE, CSTA, Security+ SME
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Jul 28, 2009 10:50 am

Re: Recreating files from packet capture

NetWitness is great, like Don indicated.  I've used it and it really makes viewing HTML, Email, and other types of documents amazingly easy as they travel across the wire.

Wireshark can also do this, depending on the protocol.  Files transmitted through HTTP can be exported using the File, Export, Objects menu.    For other protocols, you would have to isolate the packets that belong to your file, and then export the packets.  Wireshark will put the fragments of the transmission back together for you.  You can use the Follow TCP Stream feature for this.
~~~~~~~~~~~~~~
Ketchup
<<

Vedder

Newbie
Newbie

Posts: 26

Joined: Sun Feb 15, 2009 5:18 am

Post Tue Jul 28, 2009 11:31 am

Re: Recreating files from packet capture

Thanks Don and Ketchup

It's SSL traffic, I've decrypted it in Wireshark using the key, and can see them in hex code in the outputted file. Wireshark just shows the encrypted data still.

I'll carry on with NetWitness, as it does look like a very nice tool.

*EDIT*

NetWitness has come up trumps, and given me the files.

Thanks again Don and Ketchup
Last edited by Vedder on Tue Jul 28, 2009 11:37 am, edited 1 time in total.
C|EH, MCSE, MCSA: Security, Security+, Network+, A+
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Jul 29, 2009 12:18 am

Re: Recreating files from packet capture

Thanks for the hint about NetWitness, haven't heard about it before. Definitely sounds interesting and useful.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Wed Jul 29, 2009 4:47 am

Re: Recreating files from packet capture

Late to the party on this one.
As previously said, Netwitness is a cracking product, I used it when they charged for it in the Corporate environment.

Now they have the free one, I have it on my personal machine, and its good stuff.

Deffo worth a download.
<<

305mia

Newbie
Newbie

Posts: 2

Joined: Fri Aug 21, 2009 8:53 am

Post Fri Aug 21, 2009 9:53 am

Re: Recreating files from packet capture

So I have an AIM conversation in which a document was exchanged via AIM's file sharing function.

NetWitness recreated the conversation from my pcap file and shows the document name.

I am having trouble reconstructing the attachment document. I know it is a word doc but how can I actually reconstruct the document?

Thanks in advance
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Tue Aug 25, 2009 11:20 am

Re: Recreating files from packet capture

Available tools on the Internet for the purpose of extracting files from packet dumps:

NetworkMiner

Xplico

TcpXtract

And to do it manually using WireShark and a Hex editor check out the following blog:

Pulling binaries from pcaps

Enjoy!
Security+, OSCP, CEH
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Tue Aug 25, 2009 5:19 pm

Re: Recreating files from packet capture

Nice.  I've not worked with the Netwitness Investigator program before.  My first interaction with Netwitness was out at an afterparty with some of the folks in Vegas this year.  And watching my girlfriend verbally emasculate one of their VPs as he drunkenly tried to impress/pick her up.  It was one of those times where I was reminded on why I want to marry her hehehe.
"Bad.. Good?  I'm the guy with the gun"
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Aug 26, 2009 12:32 am

Re: Recreating files from packet capture

blackazarro wrote:[...]

And to do it manually using WireShark and a Hex editor check out the following blog:

Pulling binaries from pcaps

Enjoy!


Thanks for this one, especially for the blog itself. Read once an article there but couldn't find the address anymore.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Aug 26, 2009 12:29 pm

Re: Recreating files from packet capture

I used the site too (about pulling hex from pcap). It allowed me to finish the ISC.SANS.Org puzzle. Which I actually had a lot of fun doing. While TCPXtract was close at pulling the file out, and it worked on my nix box with Open Office, it didnt' work on my office window's box with office 2k3 (with 2k7 plugin).
OSWP, Sec+
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Aug 26, 2009 4:54 pm

Re: Recreating files from packet capture

Hey chrisj, check this perl script out for extracting Office 2007 Metadata:

read_open_xml.pl

The script works, I tried against the docx file from the evidence pcap and it gave me some info such as the name of the file creator, creation and modify timestamp. Thats some cool info that you can include in your network forensic report.

You don't need the script to get this info but its quicker.
Security+, OSCP, CEH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software