Monday, April 2, 2018

Extracting and decrypting an HTTP capture with Tcpxtract / FCrackKZIP


- Layout for this  exercise:

1 - Tcpxtract / FCrackZip

- tcpxtract is a tool for extracting files from network traffic based on file signatures.

- Extracting files based on file type headers and footers (sometimes called "carving") is an age old data recovery technique. 

tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network. 

- To download and install tcpxtract:

- FCrackZip is a zip password cracking tool.

- To download and install FCrackZip:

2 - Transferring a password protected file from Ubuntu to Kali Linux

- Protecting with a password a zipped file, composed of a text and a picture, and storing at the Ubuntu Apacher server:

- Now, let's enable Wireshark at Kali so that the transfer can be captured:

- Now, opening a browser at Kali, let's download the file from Ubuntu:

- The file transfer is successful:

- Wireshark has captured the transfer beetween both devices and created a .pcap file:

- Saving capture.pcap for further treatment:

3 - Extracting a Wireshark capture with tcpxtract

- Extracting capture.pcap with tcpxtract and outputting to the folder data:

- Checking the content of the .html files, some of them are encrypted:

4 - Decrypting with fcrackzip and unzipping

- Taking the file to be decrypted:

- The encryption password is found:

- Finally, we are able to unzip the transferred file (composed by a text and an image) using the decrypted password: