Investigating Pcap file[network traffic] using wireshark and hexeditor

Lavesh pashte
4 min readDec 1, 2020

--

Hello Guys today im going to show you how i analysed pcap file using wireshark and hexeditor

so let’s get started

first we open the pcap file in wireshark

This is the hint that we get for initial headstart

so in the hint we get to see it is mentioned that we will encounter several http traffics

So we will filter out all the traffic except http traffic

And so you could see we got bunch of files(images,pdf),we will export this as http objects

by going to file>export objects>http

and save it to our respective folder

now after having a close look we found out that some files we corrupted and were unable to open

1st file

  1. securepdf.pdf

i opened the file in hexeditor

and found out that the magic bytes [the starting bytes] are of PK which also stands for zip archive

and below that we also see rawpdf.pdf

so i rename the file from securepdf.pdf to securepdf.zip

and voila we get rawpdf.pdf

But this file seems to be encrypted so lets crack it

For cracking purpose we will first convert the zip file into hash using zip2john

and then crack it using johntheripper[if you guys arent familiar with this cracking tool please do some research as it is very handy tool for pentester]

as i have cracked it before so it is already in cache

password is “Secure

now moving onto next file which is

2.hiddenmessage.txt

we got this error

opening in hexeditor

we see that the magic bytes[which helps the computer to understand which type of file it is] is set to JFIF or FF D8 FF E0 00 10 4A 46 49 46 00 01

Now lets rename it to hiddenmessage.jpg

we got the image

new lets go to the next file

3.how-to-commit-crimes.docx

opening in hexeditor

here when i took a close look i saw the data on the right hand side which was in clear text format

so i renamed the file to how-to-commit-crimes in .txt format and it worked out

all of this files were quite easy to look at and find out,but the next one got to me aswell as it was quite tricky

4.broken.png

when i opened it in hexeditor

looking at this i was quite stuck and then i saw the data on the right hand side

which looked like base64 encoding ,i copied the data and tried decoding it

and this is what i got

but the only thing i was not able to figure out was how to make a png file out of this data,I tried writing this data to a .txt file and then renaming it to .png but that didnt work

After 20 mins later i went on cyberchef which is a online platform for encoding and decoding data

after decoding the data i was able to export it as a .png file

and finally i completed this challenge

This is it for today guys ..If you liked it please dont forget to follow and share this to your cybersecurity friends

--

--

No responses yet