Bonjour, I'm preparing a degree level and i have to find user / password in clear text using POP. Well, i did it, don't have to be genius for that. But wanted to go further and find the attached file and rebild it. I tried with the magic number PK for .docx (delete all before PK, found by Follow TCP Stream) but doesn't work for me. It seems that i have the begining "PK" but not "end" not the good one of course. I got the frames on the way out (while sending). Can somebody tell me "where is the end" of the attached file. How should i proceed, which protocols to use to find it easier, where to put the analyser ... And how to upload a file in Wireshark, please, would be easier for you with the file in front. PS: have two more questions, i'm not getting out... but one after another best regards asked 30 Sep '15, 08:39  tome80 edited 30 Sep '15, 10:20  grahamb ♦ |
One Answer:
I can see this Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="Nutri group.docx" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Nutri group.docx" and by editing from PK to the endn and then savig to .docx. I'can open the document. If PK is the begining and the end is not the end there must be some other "end" like "." the file is 1.56 Mo, maybe i should try only with few lines, but a real file is biggest chalenge. best regardes answered 15 Oct '15, 14:09 tome80 |
You can share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc. and then edit your question with the link to the file.
Any advice ? Do I do the rignt thing ?
Which TCP stream are you "following" in that pcap?
Bonsoir,
I follow the TCP Stream on pacjet 78 (DATA Fragment) where i can see the name of the attachment ...
check this link cause i changed the file (the other one i didnt remember where did i look for) so i made a new capture with my test accounts.
https://www.cloudshark.org/captures/88d11775b31b
thanks for your help
best regardes