Home > Forensics, Networking > Reconstructing files from Wireshark Packets

Reconstructing files from Wireshark Packets

             In this post, I am going to exemplify the reconstruction of a file using 2 well-known protocols, HTTP and FTP . Let me give a quick introduction about the two protocols. HTTP stands for Hyper Text Transfer Protocol, which is an application layer protocol designed within the framework of IP suite. It is designed for an effective communication between Client and Server. It uses TCP as it’s underlying protocol. As an example, if we give a request for an URL, from our web-browser, it goes as a Request message to the server. The server then processes and Responds back to the client with a HTML page.

FTP stands for File transfer protocol, which is used to transfer files from one host to other. It makes use of two separate connections (Control and Data connections) before transferring  files. It uses TCP as it’s underlying network. Most widely used applications are FileZilla (Windows,Linux, and Mac) and ftp (Linux).

       I will be using Wireshark tool for the demo. First will start with HTTP objects. Extracting HTTP objects, from the captured packet is too easy. Just open the packet in your Wireshark, then in the menu list, select File -> Export Objects -> HTTP. Then save the required or all the files in a Directory.

Wireshar1

          Pretty simple right? Now will look at on how to extract the files which are transfered via FTP protocol. Actually, for past few months, when i was working with CTF packet challenges, i didn’t had any practical knowledge about carving the transferred files (via FTP protocol) from the captured packers. Indeed it is simple, if you are familiar with File Signatures. I read 2-3 blogs and I came up with some ideas, to strip the files, which are transfered via FTP protocol. Take a look at this snap shot,

Wireshark2

          Firstly, the Client (10.10.10.7) makes a request to the Server (78.47.100.174) for transferring a file. After that, 4 to 5, request and response messages are transferred between the two machines. Take a close look at Packet No. 10967, the client makes a request to the server for getting a file named “flag.rar”. In the next packet, server tries to send the file to the requested machine. Finally packet no 11091 indicates the transfer of file named “flag.rar” to 10.10.10.7. Ok now how to extract the RAR file from the packet? You can either, write a script to extract the bytes from the captured packet and then reconstruct the entire file or you can follow the steps given below.

Understanding the Transferred file :

          Here, our transferred file is a RAR file and we know that every file which is used in this computer world, is identified by it’s File Signatures. Just Google for RAR file’s header, you will get the file signature. RAR file’s hex signature is found to be ” 52 61 72 21 1A 07 00 “. Just use this pattern to locate the file. Press CTRL + F , select the “hex value”, and then enter the pattern.

Wireshark3

There you go! The RAR file is found in packet no.10988. Now right click and select, Follow TCP stream. Then select Raw and  Save it with a name. Alright you are done with the extraction. Use file command in Linux to check, whether we have extracted the RAR file completely from the captured packet.

h1dd3ntru7h@f0r3n51c5:~/Desktop/VolgaCTF13/200$ file Flag.rar
Flag.rar: RAR archive data, v40,
h1dd3ntru7h@f0r3n51c5:~/Desktop/VolgaCTF13/200$

Pingo! We got the right one! :D.

Advertisements
  1. June 9, 2013 at 2:13 pm

    This is cool. I’m gonna try myself. Thanks!

  1. September 22, 2014 at 7:03 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: