August 22, 2009

I stumbled across an interesting contest today, and just had to give it a shot. There's just one catch though, I have never tried to extract data from a PCAP file before. In fact, I really didn't even know that it could be done...although I'm not surprised. Anyway, here is how I extracted the complete document that was transferred from Ann's computer to the rogue laptop. You did read the puzzle's scenario, right?

Bear in mind that as this was my first attempt to do something like this, I went through quite a few failures before I did the following. Despite my problems, I had fun and am glad I kept at it.

The first thing to do was download the PCAP file and open it up in Wireshark. Once the file was opened, I set Wireshark to show only the packets sent from Ann's computer by setting the following filter:
ip.src ==
From the scenario, I knew that Ann sent some sort of file to the rogue laptop, and that more than likely it was done through an IM client. The previous image shows that "aol" is listed in the info for all of the packets going to the address I don't know much about AOL, but I do know that they have an instant messenger that is quite popular. Knowing this, I decided to look at these packets and see what could be found.

The first thing I noticed in the packet was "Cool FileXfer." Things started looking really interesting. So that I could see all of the traffic sent from Ann's computer to this address, I chose to follow the TCP Stream of the conversation.

It all looked like a bunch of gibberish, but one thing really caught my attention..."recipe.docx." Maybe this was the file I was after. I decided to give it a shot and chose to save the stream. To save it, I selected Raw, clicked Save As, and saved the stream as recipe.docx.

Trying to open the file in Word proved unsuccessful, as there was an error with it. Still certain that this contained the file I was after, I decided to do a little hex editing. Not wanting to mess things up, I opened up Word and created my own DOCX file to serve as a baseline for my editing.

Looking at my test file, I noticed that its header had a hex value of:
50 4B 03 04 14 00 06 00 08 00 00 00 21 00 DD FC 95 37 66 01 00 00 20 05 00 00 13 00 08 02 5B 43 6F 6E 74 65 6E 74 5F 54 79 70 65 73 5D 2E 78 6D 6C 20 A2 04 02 28 A0 00 02
The corrupted Recipe document had the same hex value, but there was unnecessary bits preceding it. I decided to do some hex editing and remove the unnecessary bits from the Recipe document. After hex editing, I saved the Recipe file and opened it in Word. I still got a warning about the file, but I chose to try and open it anyways.

Bingo! There was the secret recipe I was looking for. I had actually managed to extract all of this from a simple packet capture. Wicked!

What? You want to know the recipe? Well...go get your hex editing on like I did.
Categories: , ,


Post a Comment

Subscribe to RSS Feed Follow me on Twitter!