Penetration Testing mailing list archives

Data carving exploit from pcap file

From: "Danilo Nascimento" <daniloleke () gmail com>
Date: Fri, 19 Sep 2008 16:22:53 -0300

Hi JK!

The "Follow tcp stream" feature in wireshark filter the comunication
based in (Source IP, Destination IP, Source Port and Destination port)
from begin to the end, so you can get the shellcode with this option.

For instance an HTTP Connection:

192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 (syn)
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 (syn - ack)

/* Shellcode is in somewhere here
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
*/

192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 (fyn)
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 (fyn - ack)

PS.: Some characters aren't printable, so you need to select the Hex
Dump option instead ASCII in "Follow Tcp Stream".

Sorry my poor English.

Regards,
Danilo Nascimento

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

Data carving exploit from pcap file Jim Kelly (Sep 18)
- Data carving exploit from pcap file Michael Kitange (Sep 20)
- Re: Data carving exploit from pcap file Abuse 007 (Sep 20)
- RE: Data carving exploit from pcap file Paul Melson (Sep 20)
- Message not available
  - Data carving exploit from pcap file Danilo Nascimento (Sep 20)
- <Possible follow-ups>
- Re: Data carving exploit from pcap file redb0ne (Sep 20)