This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

While going through an Intrusion Analysis course I have encountered a demo on how to use Wireshark to extract an attachment from a sniffed SMTP session. For some reason even though I follow the process indicated in the lecture, which appears more than reasonable to me, I always end up with the creation of a corrupted attachment (PDF). Please refer to the below packet capture

https://www.dropbox.com/s/y8s0zl3fvrcoict/carve-smtp.pcap?dl=0

The process described in the lecture boils down to 5 points

1) Use Analyze > Follow TCP Stream to see the conversation

2) Save the whole conversation in raw format (the attachment is obviously inside, base64 encoded). Let’s call it carve.raw

3) Carve out everything apart from the base64 encoding

4) Remove the ^M characters in the file (result of different line endings used in Windows and Linux) and save it. It can be done quickly in vi with

:%s/^M//g

5) Use base64 to decode the encoded attachment in this way

base64 -d carve.raw > attached.pdf

(it is said that the attachment is a PDF)

Point 5 is where I immediately understand that something is wrong as the output I get is

base64: invalid input

Nevertheless, the attachment file is created and, when I try to open it, I receive the information that the file is corrupted.

Does anybody know what I am missing?

P.S: Even though I would like to keep this exercise “low-level” (as manual as possible), I have tried to extract the file with Foremost as well and it failed to identify anything.

asked 02 May '17, 10:24

squalodelfilo's gravatar image

squalodelfilo
11114
accept rate: 0%

edited 02 May '17, 12:38


The steps described are ok. However a possible bug may playing tricks on youl.

After "Follow TCP Stream" I switched the view to one flow direction => '10.10.10.10:34573 -> 10.10.10.25:25' and saved this content as ASCII to file (carve.b64).

When opening this file in an editor the content is duplicated, the first one with ^M, the second one without it. This looks like a Wireshark bug for me.

After removing everything before and after the second base64 part and saving it, I can run base64 -d without any problem.

I get a PDF file showing the dos2unix manpage.

permanent link

answered 02 May '17, 12:21

Uli's gravatar image

Uli
9031515
accept rate: 29%

Thank you! I had overlooked that second part. I managed to decode it successfully.

(02 May '17, 13:53) squalodelfilo
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×154
×25
×6
×1

question asked: 02 May '17, 10:24

question was seen: 5,368 times

last updated: 02 May '17, 13:53

p​o​w​e​r​e​d by O​S​Q​A