For anyone interested in network security and pen testing stuff, Wireshark is the tool to get, as it reveals pretty much everything about a network, the hosts and active services present, traffic volumes, payloads and sometimes login details as well. I was hoping to demonstrate some of that here, using a (publicly available) .pcap file I acquired from somewhere.
My personal method is to start by constructing a picture of the network, which is time consuming but sets the scene for whatever analysis. There are three IP addresses worth looking at:
* 192.168.0.100 – Appears to be a virtual machine running on VMware, and providing a large number of services, including IMAP, MySQL, POP3, HTTPS, domain services, Kerberos, Sun RPC and SMUX.
* 192.168.0.150 – Another VM making a load of requests through outgoing port 34988, so it had to be a proxy server.
* 22.214.171.124 – Multicast router.
In the real world, a Wireshark capture would clearly identify which hosts are mail servers, Domain Controllers or whatever, and show their operating system and software versions. That wasn’t the case here, and the more I watched the growing list of services running off just one VM, the more it became evident the .pcap contained mostly faked packets to hide something else. Call it steganography, if you like.
Sifting through the dump for a payload that contains readable text, I found an email. The text is perfectly readable in Wireshark, but the relevant packets must be exported to a text file in order to do anything with it. Select File and Export. We want to export only the selected packet:
After removing all the crap from the resulting text file, we get an email that was sent from 192.168.0.150 to 192.168.0.100:
Date: Tue, 13 Sep 2011 13:31:55 +0100
From: email@example.com, 1 item
To: firstname.lastname@example.org, 1 item
My backup password:
Don't delete this! \r\n
What is this backup, I wondered? By the way, Ctrl+F brings up the search window, which works for packet headers, hex values or strings. If we wanted to find more emails, we use the latter option with ‘postmaster’ as the parameter.
And the Attachment
The next email contained a fragment of backup.rar, which is Base64-encoded. It’s possible to find the other fragments, export those as text files, slowly piece them together and decode it.
Scratch that. There’s a much faster way, using a tool called uudeview to extract Base64 content from .pcap files and generate the .rar file,
And sure enough, it produced a password-protected .rar file.
Extracting the Unextractable
This should have been a simple matter of using the password from the first email, but no. The password didn’t work, and I forced the extraction of a Microsoft Word document that seemed corrupted. I then tried sifting through the capture for other passwords, and used binutils on the .rar and .docx files (which sometimes reveals passwords for older MS Office files). No luck. What is to be done?
Revisiting Wireshark, it turned out I overlooked another quick method of extracting files: Select the packet in the Wireshark capture with the initial Base64 fragment, right-click and select ‘Follow TCP Stream‘. The assembled fragments will be contained in the window that appears. Now it’s a matter of dumping the content between markers ‘
--=_BlatBoundary-487vKFss9geuXHuuudXFN‘ into another file.
Running uudeview again produces backup.rar, this time with no errors. And the password worked.
• file.docx: Initially appears as a blank document, but actually contains a white box obscuring the text.
• image.jpg: Running binutils will reveal this to be a Word document.
• info.docx: A list of files to download from a local machine.
• remember.docx: Font colour changed to obscure the text here as well.