Monday, April 2, 2018
Extracting and decrypting an HTTP capture with Tcpxtract / FCrackKZIP
EXTRACTING AND DECRYPTING AN HTTP CAPTURE WITH TCPXTRACT / FCRACKZIP
- Layout for this exercise:
1 - Tcpxtract / FCrackZip
- tcpxtract is a tool for extracting files from network traffic based on file signatures.
- Extracting files based on file type headers and footers (sometimes called "carving") is an age old data recovery technique.
- tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network.
- To download and install tcpxtract:
- FCrackZip is a zip password cracking tool.
- To download and install FCrackZip:
2 - Transferring a password protected file from Ubuntu to Kali Linux
- Protecting with a password a zipped file, composed of a text and a picture, and storing at the Ubuntu Apacher server:
- Now, let's enable Wireshark at Kali so that the transfer can be captured:
- Now, opening a browser at Kali, let's download the file instrument.zip from Ubuntu:
- The file transfer is successful:
- Wireshark has captured the transfer beetween both devices and created a .pcap file:
- Saving capture.pcap for further treatment:
3 - Extracting a Wireshark capture with tcpxtract
- Extracting capture.pcap with tcpxtract and outputting to the folder data:
- Checking the content of the .html files, some of them are encrypted:
4 - Decrypting with fcrackzip and unzipping
- Taking the file 00000010.zip to be decrypted:
- The encryption password is found:
- Finally, we are able to unzip the transferred file (composed by a text and an image) using the decrypted password: