The Spy Files: Extracting Word Documents from a Packet Capture

The Krypt

For anyone interested in network security and pen testing stuff, Wireshark is the tool to get, as it reveals pretty much everything about a network, the hosts and active services present, traffic volumes, payloads and sometimes login details as well. I was hoping to demonstrate some of that here, using a (publicly available) .pcap file I acquired from somewhere.

My personal method is to start by constructing a picture of the network, which is time consuming but sets the scene for whatever analysis. There are three IP addresses worth looking at:

* – Appears to be a virtual machine running on VMware, and providing a large number of services, including IMAP, MySQL, POP3, HTTPS, domain services, Kerberos, Sun RPC and SMUX.
* – Another VM making a load of requests through outgoing port 34988, so it had to be a proxy server.
* – Multicast router.


View original post 479 more words


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s