This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract pcap email attachment - Defcon 2011 Challenge Round 2 help

0
1

Hi All,

Before everyone tells me to Google, I have. I have seen write-ups with solutions that say "extract the pcap" and I have seen search results on how to extract word docs etc over smtp. I am still struggling to follow the solution to Round 2 of this challenge(http://forensicscontest.com/contest0...011-Contest.tc). I am new to packet analysis so bear with me please.

First of all, some tutorials I have come across indicate if I follow the TCP stream I should see the contents of the email(AOL) message. I've read that Wireshark will not display the uncompressed data if I follow the TCP stream but this tutorial (http://www.garage4hackers.com/printthread.php?s=2f786d5eda83dd42b36476dbeeaf51b8&t=1419&pp=10&page=1) says it will. I'm at a lost what I am doing wrong here.

Secondly, I had to do a "find" to locate the packet frame with the email message body (something I couldn't have done had the answer not been published which frustrates me..:( ) I do see the name of the file attachment in this packet 6752. I have tried File-Export Objects - HTTP to try and locate the file, and I have tried using NetworkMiner. The file name does not show up in either. Can someone kindly explain what I am doing wrong or what I am missing? When I follow the TCP stream, should I see the email contents even with all the URL encoding etc? What if I had 100 POST frames, instead of 6 to look at, what is the methodology to finding email messages that are compressed if they do not show in the TCP stream? Yes I realize these may be dumb questions, but I am really new to this and trying to grasp what I'm missing.

Any help is appreciated, Thanks!!!

asked 20 Feb '14, 13:47

RittleRi's gravatar image

RittleRi
1123
accept rate: 0%

It would help if we could see the challenge information, but the link does not work.

(20 Feb '14, 14:15) Jim Aragon

Sorry about that. I grabbed the link from somewhere else. Here is the link with the challenge downloads http://forensicscontest.com/2011/08/16/puzzle-9-anns-deception-defcon-2011#comments

For Round 2 specifically: http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defcon2011contest-round2.html

and here is the link with the summary of questions/answers: http://forensicscontest.com/2011/08/16/puzzle-9-answers

(20 Feb '14, 15:41) RittleRi

2 Answers:

4

Secondly, I had to do a "find" to locate the packet frame with the email message body (something I couldn't have done had the answer not been published which frustrates me..:( ) I do see the name of the file attachment in this packet 6752.

You know the sender's name is "Ann", so "frame contains Ann" gives you 1 patching packet, namely frame 6752. The packet details for this frame indicates a MIME Multipart Encapsulation. Expanding it, you can see the first one is: "Encapsulation multipart part: (application/cap). Expanding this again, you can see the filname is "Help.pcap".

I have tried File-Export Objects - HTTP to try and locate the file, and I have tried using NetworkMiner. The file name does not show up in either. Can someone kindly explain what I am doing wrong or what I am missing? When I follow the TCP stream, should I see the email contents even with all the URL encoding etc? What if I had 100 POST frames, instead of 6 to look at, what is the methodology to finding email messages that are compressed if they do not show in the TCP stream? Yes I realize these may be dumb questions, but I am really new to this and trying to grasp what I'm missing.

If you've followed along above, then you have already identified the "Help.pcap" file. Expanding the Media Type and selecting "Media Type: application/cap (2638123 bytes)" will highlight all the raw bytes. Notice that the 1st 4 bytes are "d4 c3 b2 a1". This is the pcap file's so-called magic number. Refer to the Wireshark Libpcap File Format wiki page for more information on the format. If you now right-click, you can choose, "Export Selected Packet Bytes...". Name the file, "Help.pcap" and then load that newly extracted file back into Wireshark.

With "Help.pcap" loaded, File -> Export Objects -> HTTP and then open the speaking schedule, schedule.html, to find the date.

answered 24 Feb '14, 08:46

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Oh I see! Thank you for the wiki page link and detailed response! Very much appreciated.

(24 Feb '14, 10:48) RittleRi

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(24 Feb '14, 10:54) Kurt Knochner ♦

0

Hi,

I wrote a script to do help doing this automatically. This is very simple and was developed in order to decode malicious attachments we were receiving at high pace.

Any pull request welcome, I'll re-write a more complete tool in python soon

https://github.com/Ibrahimous/Miscellaneous/blob/master/bash/extract_and_decode_from_pcap/extract_and_decode_from_pcap.sh

answered 29 Jun '15, 07:13

charlou's gravatar image

charlou
61
accept rate: 0%