Last week, I posted an entry about pulling binaries from pcap files. In the post, I mentioned that NetworkMiner could be used to extract binary files from pcaps automatically, but that during my testing it had failed to extract at least one file.
Shortly after publishing, I was contacted by Eric Kollmann who has done some great research on using network traffic for OS fingerprinting. Some of Kollmann's techniques have been incorporated into NetworkMiner. Kollmann wrote to tell me that I should mention my issues to Erik Hjelmvik, the primary developer of NetworkMiner.
Hjelmvik was incredibly receptive and helpful. Within a few days, he'd downloaded the same pcap file I'd tried in my testing and reported back to me that it was working for him and suggested that it may be a latent bug cropping up on my system due to differences in OS patch level or that perhaps my AV software was deleting the recovered files that contained known malware.
I tried NetworkMiner again and watched as it extracted files. There should have been 17 extracted, but it only reported 15. I attempted to open the log file for my AV product to see if it had deleted anything, but the log file was locked and wouldn't allow me to open it. I fired up the Event Viewer on my system and there were two warnings about my AV deleting files containing known malware.
There you have it, NetworkMiner was working flawlessly. It's always nice to have great interactions with developers of open source products. Not only did Hjelmvik offer the correct suggestion that my AV may be killing the files, he also pointed out that there's a much easier way to extract binaries from pcaps using Wireshark. I think I'd known his method at one time, but forgot it due to lack of use.
In my post I said you could right-click on the GET request in Wireshark and select "Follow TCP Stream", eliminate half the conversation via the drop down box in the resulting dialog window (see the previous article for full details and screen shots). From there, save the byte stream as raw and use foremost or a hex editor to carve out the binary.
Hjelmvik smartly points out that one can scroll down through the main Wireshark window until packet 117 where Info column contains "(application/octet-stream)", right-click on the "Media Type" entry from the middle pane of Wireshark and select "Export Selected Packet Bytes..." At that point, you will be prompted to save the byte stream somewhere on your file system, the result will be the original binary.
Binary extraction with Wireshark, the easy way
As usual, there's more than one way to do it and someone else is going to have a better way.
Thanks to Kollmann and Hjelmvik both for reading and making such great contributions to the community.
Dave Hull, GCFA Silver #3368, is an aspiring maker and technologist specializing in information security. He can be found on the web at TrustedSignal.com.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
