Looking for a file

asked 2019-12-08 21:45:42 +0000

AlexKaos
1 ●1 ●1 ●1

Hi everyone, I'm trying to find a file within a pcap, but no luck. I've used NetworkMiner to find files in other pcaps. I've also seen what the file transfer looks like by following each stream. But the pcap I'm working with doesn't look anything like that. There are a ton of TCP RST, SYN, SYN/ACK, and ACK flags all over the place if that helps. This is for a CTF so I'm not looking for anyone to just give me the answer, but any pointers would be much appreciated.

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2019-12-09 00:01:11 +0000

SYN-bit

18344 ●9 ●301 ●255 https://SYN-b.it

One way I start is by using the filter tcp.len>0 to view only the TCP packets with payload. That will remove all the SYN, RST and ACK packets that might confuse you. Then you can also use statistics -> conversations (TCP tab) and enable "Limit to display filter" to get an overview of how much data was transferred in the sessions that do have payload data.

Is there a (public) link to the pcap file to look at?

edit flag offensive delete link

Comments

Awesome thanks, I'll try that. There isn't a public link to the pcap file, I could upload it to google drive and share it that way.

AlexKaos ( 2019-12-09 00:07:15 +0000 )edit

https://drive.google.com/open?id=10jG...

AlexKaos ( 2019-12-09 00:09:28 +0000 )edit

That did help filter out the ambiguity. But I'm still not seeing the file, also, the CTF is over now so I'll provide a bit more info. The goal of that particular question was to find the file, and calculate the md5 hash (which is the flag).

AlexKaos ( 2019-12-09 03:15:01 +0000 )edit

Nice one... Is the answer e0fb946c...258c22a1 (not posting the whole MD5 to not spoil the challenge)?

SYN-bit ( 2019-12-09 12:01:10 +0000 )edit

That's probably it, I have no way to verify now. I must be missing some information though, I can tell that there was a lot of data transferred, and I've applied the filters, but clearly the file is obfuscated somehow because it's not listed anywhere as "file.exe" or whatever. Why is it that I'm not seeing a straightforward file transfer?

AlexKaos ( 2019-12-09 14:26:17 +0000 )edit

see more comments

answered 2019-12-09 03:37:18 +0000

Chuckc
2858 ●5 ●568 ●19

One of the best Wireshark tips (not sure who to credit) is to turn the colors off.
All the red packets can be a red herring. :-)
Work down through the Statistics menus - Protocol Hierarchy, Conversations, Endpoints.
There is a port scan mixed in - filter those packets out and the capture gets clearer.
Filter out any protocols that probably aren't being used to transfer data.
Double check before excluding since data is sometimes tunneled through these "other" protocols.
(Filtering out the port scan and ancillary protocols cut about 2500 packets out of the display.)

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Looking for a file

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

Looking for a file edit

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

Looking for a file