Investigating Pcap file[network traffic] using wireshark and hexeditor
Hello Guys today im going to show you how i analysed pcap file using wireshark and hexeditor
so let’s get started
first we open the pcap file in wireshark
so in the hint we get to see it is mentioned that we will encounter several http traffics
So we will filter out all the traffic except http traffic
And so you could see we got bunch of files(images,pdf),we will export this as http objects
by going to file>export objects>http
and save it to our respective folder
now after having a close look we found out that some files we corrupted and were unable to open
1st file
- securepdf.pdf
i opened the file in hexeditor
and found out that the magic bytes [the starting bytes] are of PK which also stands for zip archive
and below that we also see rawpdf.pdf
so i rename the file from securepdf.pdf to securepdf.zip
and voila we get rawpdf.pdf
But this file seems to be encrypted so lets crack it
For cracking purpose we will first convert the zip file into hash using zip2john
and then crack it using johntheripper[if you guys arent familiar with this cracking tool please do some research as it is very handy tool for pentester]
as i have cracked it before so it is already in cache
password is “Secure”
now moving onto next file which is
2.hiddenmessage.txt
opening in hexeditor
we see that the magic bytes[which helps the computer to understand which type of file it is] is set to JFIF or FF D8 FF E0 00 10 4A 46 49 46 00 01
Now lets rename it to hiddenmessage.jpg
we got the image
new lets go to the next file
3.how-to-commit-crimes.docx
opening in hexeditor
here when i took a close look i saw the data on the right hand side which was in clear text format
so i renamed the file to how-to-commit-crimes in .txt format and it worked out
all of this files were quite easy to look at and find out,but the next one got to me aswell as it was quite tricky
4.broken.png
when i opened it in hexeditor
looking at this i was quite stuck and then i saw the data on the right hand side
which looked like base64 encoding ,i copied the data and tried decoding it
and this is what i got
but the only thing i was not able to figure out was how to make a png file out of this data,I tried writing this data to a .txt file and then renaming it to .png but that didnt work
After 20 mins later i went on cyberchef which is a online platform for encoding and decoding data
after decoding the data i was able to export it as a .png file
and finally i completed this challenge
This is it for today guys ..If you liked it please dont forget to follow and share this to your cybersecurity friends