Posts Tagged ‘wireshark’

Alex CTF USB probing Forensics 3 – 150 writeup

February 6, 2017 Leave a comment


Challenge file: Download.

In fact, this is my first attempt to recover USB traffic from a PCAP file.

The initial 4 packets had the information of the devices involved in the traffic. Using the Product ID and Vendor ID I did some research here to get the device details. It is a flash drive.


In the following paragraphs I will try to explain my approach to solve this problem but if you just want to see the solution please check the last 2 paragraphs.

Wireshark doesn’t have an easy option to view the transferred files using USB protocol, on the contrary it’s easy to extract or view transferred files in TCP (using TCP stream).

I made a simple test to understand how a simple file is transferred via USB protocol. I plugged in a USB device and transferred a text file ( with contents “findme”*1000). Of course, wireshark was listening to the usb interface in the background. To capture the USB traffic you must load the USB kernel module (check here).

$ sudo modprobe usbmon

Most of the packet’s sizes were less than 100 bytes and the transferred text file was found in a packet having a length greater than 1000 bytes, check the URB_BULK out.


So as a conclusion check for the packets having size greater than 1000 bytes with flags URB_BULK out/in. Also I found the file names that were present inside the flash drive.

Let’s repeat the same steps to find what was transferred. Load up the challenge file and try to find the packets having length greater than 1000 bytes. Go down a bit and bingo, you can find the PNG image’s header! 😉


Select the stream and press Ctrl + h or you can use File->Export Packet Bytes. Open the saved file in a image viewer and you see the flag!!



Insomni’hack teaser 2017 Forensics The Great Escape part-1 writeup

January 22, 2017 2 comments


From the given PCAP file you must have noticed the traffic from OSCP, HTTP, FTP, SMTP and TLS protocol. TLS has the actual flag, FTP has the private key to decrypt the TLS traffic and SMTP has the clue that will help us in filtering the traffic of interest i.e the right TLS packets. You can ignore the rest.

The first task is to retrieve the private key file from the FTP traffic. Use the filter “ftp-data” in wireshark. Do a TCP stream, you can see the transferred private key. Save that as a text file ( private_key.txt).


We have the private key and all we have to do is to use it and decrypt the TLS packets. Use the filter “ssl” to see the encrypted traffic.


We have 4+ HTTP servers involved and the important task is to find the right one that has the flag. But how? The answer is in the hint transmitted in the email (SMTP traffic). Use the filter “smtp” and read the contents of the email. You can see the sender informing about moving the code from Swiss Secure Cloud to May be the flag was transmitted here!


The two addresses found in the email points to : 443. So this might be the right IP address we are looking for.


To confirm, see if there is any traffic originating from in the PCAP file. You will see the encrypted traffic. Let’s use all the information we gathered from the SMTP protocol ( IP :, PORT : 443) and FTP (the private key) to decrypt the SSL traffic.

Go to Edit->Preferences->Protocols->SSL. In the RSA key list add all the information we got. The protocol should be http as the port no for is 443 ( default for https).


Use the filter “ip.addr== and http”. You can see the deciphered traffic.

I was searching for the flag inside the transferred files ( File -> Export-> HTTP objects) but it was not there, after a while I found it in the HTTP header.


SECCON 2016 Forensics 100 VoIP writeup

December 11, 2016 Leave a comment

Challenge description:

Extract a voice.
The flag format is SECCON{[A-Z0-9]}.

A straightforward challenge. It is clearly mentioned that  we need to extract the voice message. Also, you can see the RTP streams when you open the PCAP file in Wireshark.


Get the flag by playing the voice message after extracting the VoIP call from the menu (Telephony -> VoIP calls)

The Flag was : SECCON{{9001IVR}

Reconstructing files from Wireshark Packets

June 6, 2013 2 comments

             In this post, I am going to exemplify the reconstruction of a file using 2 well-known protocols, HTTP and FTP . Let me give a quick introduction about the two protocols. HTTP stands for Hyper Text Transfer Protocol, which is an application layer protocol designed within the framework of IP suite. It is designed for an effective communication between Client and Server. It uses TCP as it’s underlying protocol. As an example, if we give a request for an URL, from our web-browser, it goes as a Request message to the server. The server then processes and Responds back to the client with a HTML page.

FTP stands for File transfer protocol, which is used to transfer files from one host to other. It makes use of two separate connections (Control and Data connections) before transferring  files. It uses TCP as it’s underlying network. Most widely used applications are FileZilla (Windows,Linux, and Mac) and ftp (Linux).

       I will be using Wireshark tool for the demo. First will start with HTTP objects. Extracting HTTP objects, from the captured packet is too easy. Just open the packet in your Wireshark, then in the menu list, select File -> Export Objects -> HTTP. Then save the required or all the files in a Directory.


          Pretty simple right? Now will look at on how to extract the files which are transfered via FTP protocol. Actually, for past few months, when i was working with CTF packet challenges, i didn’t had any practical knowledge about carving the transferred files (via FTP protocol) from the captured packers. Indeed it is simple, if you are familiar with File Signatures. I read 2-3 blogs and I came up with some ideas, to strip the files, which are transfered via FTP protocol. Take a look at this snap shot,


          Firstly, the Client ( makes a request to the Server ( for transferring a file. After that, 4 to 5, request and response messages are transferred between the two machines. Take a close look at Packet No. 10967, the client makes a request to the server for getting a file named “flag.rar”. In the next packet, server tries to send the file to the requested machine. Finally packet no 11091 indicates the transfer of file named “flag.rar” to Ok now how to extract the RAR file from the packet? You can either, write a script to extract the bytes from the captured packet and then reconstruct the entire file or you can follow the steps given below.

Understanding the Transferred file :

          Here, our transferred file is a RAR file and we know that every file which is used in this computer world, is identified by it’s File Signatures. Just Google for RAR file’s header, you will get the file signature. RAR file’s hex signature is found to be ” 52 61 72 21 1A 07 00 “. Just use this pattern to locate the file. Press CTRL + F , select the “hex value”, and then enter the pattern.


There you go! The RAR file is found in packet no.10988. Now right click and select, Follow TCP stream. Then select Raw and  Save it with a name. Alright you are done with the extraction. Use file command in Linux to check, whether we have extracted the RAR file completely from the captured packet.

h1dd3ntru7h@f0r3n51c5:~/Desktop/VolgaCTF13/200$ file Flag.rar
Flag.rar: RAR archive data, v40,

Pingo! We got the right one! :D.

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner


behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!


Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......