Ask Your Question
0

Looking for a file

asked 2019-12-08 21:45:42 +0000

AlexKaos gravatar image

Hi everyone, I'm trying to find a file within a pcap, but no luck. I've used NetworkMiner to find files in other pcaps. I've also seen what the file transfer looks like by following each stream. But the pcap I'm working with doesn't look anything like that. There are a ton of TCP RST, SYN, SYN/ACK, and ACK flags all over the place if that helps. This is for a CTF so I'm not looking for anyone to just give me the answer, but any pointers would be much appreciated.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2019-12-09 00:01:11 +0000

SYN-bit gravatar image

One way I start is by using the filter tcp.len>0 to view only the TCP packets with payload. That will remove all the SYN, RST and ACK packets that might confuse you. Then you can also use statistics -> conversations (TCP tab) and enable "Limit to display filter" to get an overview of how much data was transferred in the sessions that do have payload data.

Is there a (public) link to the pcap file to look at?

edit flag offensive delete link more

Comments

Awesome thanks, I'll try that. There isn't a public link to the pcap file, I could upload it to google drive and share it that way.

AlexKaos gravatar imageAlexKaos ( 2019-12-09 00:07:15 +0000 )edit

https://drive.google.com/open?id=10jG...

AlexKaos gravatar imageAlexKaos ( 2019-12-09 00:09:28 +0000 )edit

That did help filter out the ambiguity. But I'm still not seeing the file, also, the CTF is over now so I'll provide a bit more info. The goal of that particular question was to find the file, and calculate the md5 hash (which is the flag).

AlexKaos gravatar imageAlexKaos ( 2019-12-09 03:15:01 +0000 )edit

Nice one... Is the answer e0fb946c...258c22a1 (not posting the whole MD5 to not spoil the challenge)?

SYN-bit gravatar imageSYN-bit ( 2019-12-09 12:01:10 +0000 )edit

That's probably it, I have no way to verify now. I must be missing some information though, I can tell that there was a lot of data transferred, and I've applied the filters, but clearly the file is obfuscated somehow because it's not listed anywhere as "file.exe" or whatever. Why is it that I'm not seeing a straightforward file transfer?

AlexKaos gravatar imageAlexKaos ( 2019-12-09 14:26:17 +0000 )edit

That's because it was not a straightforward file transfer.

In the trace you can find a shell session to the windows machine. And in that session, some commands were used to build up the file. So, find the conversation, look at what is being done, google for the command that was used to build up the file and then use some form of scripting yourself to create the file, based on all of the above. Have Fun!

SYN-bit gravatar imageSYN-bit ( 2019-12-09 15:30:06 +0000 )edit

Okay, will do, thanks!

AlexKaos gravatar imageAlexKaos ( 2019-12-09 15:31:36 +0000 )edit

Okay, so I'm pretty sure I found the file. badboy.exe However, I don't really understand what's going on with that file transfer, and also, I got a different MD5

AlexKaos gravatar imageAlexKaos ( 2019-12-11 01:00:22 +0000 )edit

Are you looking at tcp.stream==1001? If you do a follow tcp stream on it, you can see what is going on. It might help to show only the bytes from the client, so instead of "Entire conversation" you can select "192.168.1.50:4444 -> 192.168.1.100:2546".

Look at which commands are entered and for each command find out what it does.

(I hope you don't mind that I try to let you find it out yourself with hints from me, I think you will learn the most that way, if you just want a little walk-through, I can do that too of course. Your choice :-))

SYN-bit gravatar imageSYN-bit ( 2019-12-12 14:57:32 +0000 )edit

That's exactly the stream I've been viewing. I see that it's a file transfer technique (post exploitation?) but I can't figure out how it works. I'm not really sure what information I'm missing. Normally I prefer to just get pointers and figure it out for myself, but I've spent days on this problem so maybe a short walk-through would be more helpful in this case. (If you don't mind).

AlexKaos gravatar imageAlexKaos ( 2019-12-14 03:56:43 +0000 )edit
see more comments
0

answered 2019-12-09 03:37:18 +0000

Chuckc gravatar image
  1. One of the best Wireshark tips (not sure who to credit) is to turn the colors off.
    All the red packets can be a red herring. :-)

  2. Work down through the Statistics menus - Protocol Hierarchy, Conversations, Endpoints.
    There is a port scan mixed in - filter those packets out and the capture gets clearer.

  3. Filter out any protocols that probably aren't being used to transfer data.
    Double check before excluding since data is sometimes tunneled through these "other" protocols.
    (Filtering out the port scan and ancillary protocols cut about 2500 packets out of the display.)
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-12-08 21:45:42 +0000

Seen: 19,607 times

Last updated: Dec 09 '19

Related questions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

Analyzing in Excel

how does wireshark knows when the file download is completed

Microsoft Network Monitor cap file can be opened by Wireshark but save as function is disabled

Is there a limit on the size of a xml file (containing 3gpp trace) that can be loaded on wireshark?

How to create trigger on (4) or more ENIP (UDP) protocol requests from a PLC to an AB842E absolute encoder with no responses or other packets from the AB842E to the PLC?

Where can I download Wireshark version 2.4

TCP window reduces due to slow reads but not increases later

How do I validate wireshark download?

How can I write the output of tshark -D to a file?