Penetration Testing mailing list archives
Data carving exploit from pcap file
From: "Danilo Nascimento" <daniloleke () gmail com>
Date: Fri, 19 Sep 2008 16:22:53 -0300
Hi JK! The "Follow tcp stream" feature in wireshark filter the comunication based in (Source IP, Destination IP, Source Port and Destination port) from begin to the end, so you can get the shellcode with this option. For instance an HTTP Connection: 192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 (syn) 192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 (syn - ack) /* Shellcode is in somewhere here 192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 */ 192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 (fyn) 192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 (fyn - ack) PS.: Some characters aren't printable, so you need to select the Hex Dump option instead ASCII in "Follow Tcp Stream". Sorry my poor English. Regards, Danilo Nascimento ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Data carving exploit from pcap file Jim Kelly (Sep 18)
- Data carving exploit from pcap file Michael Kitange (Sep 20)
- Re: Data carving exploit from pcap file Abuse 007 (Sep 20)
- RE: Data carving exploit from pcap file Paul Melson (Sep 20)
- Message not available
- Data carving exploit from pcap file Danilo Nascimento (Sep 20)
- <Possible follow-ups>
- Re: Data carving exploit from pcap file redb0ne (Sep 20)