|
Penetration Testing
mailing list archives
Data carving exploit from pcap file
From: "Danilo Nascimento" <daniloleke () gmail com>
Date: Fri, 19 Sep 2008 16:22:53 -0300
Hi JK!
The "Follow tcp stream" feature in wireshark filter the comunication
based in (Source IP, Destination IP, Source Port and Destination port)
from begin to the end, so you can get the shellcode with this option.
For instance an HTTP Connection:
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 (syn)
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 (syn - ack)
/* Shellcode is in somewhere here
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80
*/
192.168.0.1:1025 (or whatever) -> 192.168.0.2:80 (fyn)
192.168.0.1:1025 (or whatever) <- 192.168.0.2:80 (fyn - ack)
PS.: Some characters aren't printable, so you need to select the Hex
Dump option instead ASCII in "Follow Tcp Stream".
Sorry my poor English.
Regards,
Danilo Nascimento
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
