Extracting images and files from network capture

A cool thing to do after doing a MITM Attack is to extract images and files from live network stream or network capturing dumps

Tools needed:

driftnet : http://www.ex-parrot.com/~chris/driftnet/ : sudo apt-get install driftnet

tcpxtract : http://tcpxtract.sourceforge.net/ : sudo apt-get install tcpxtract

tcpreplay : http://tcpreplay.synfin.net/ : sudo apt-get install tcpreplay

Extracting from live network traffic:

you just need to run driftnet and point it to the network device to capture from. for example “sudo driftnet -i eth0″. A window will open displaying any images that are passing through the eth0 adapter.

tcpxtract can extract up to 26 file types (including image files) unlike driftnet which only captures 3 file type all of them image types. to use tcpxtract run “sudo tcpxtract -d eth0 -o output/” this will listen on device eth0 and output all captured files in directory “output”

Extracting from network dump:

What if you want to extract information from a network dump you took earlier. Drfitnet doesn’t yet support direct extraction from dump files you will have to replay the dump file. You will have to use “tcpreply” to replay the dump file. you can do this by running “sudo tcpreply -i lo dump” where “lo” is the loopback interface and “dump” if the file containing the network dump.Of course you run that command after running driftnet and pointing it to the loopback interface “sudo driftnet -i lo”.

As for tcpxtract you can just run “sudo tcpxtract -f dump -o output/” where “dump” is the file containing the network dump and “output” is the directly where all the captured files will be saved.

Thats it for now.

Advertisement

~ by husseink on March 30, 2010.