Jsunpack-n analog Wireshark Intercept file transfer

Preface:

In the previous experiment, we carried out the installation of jsunpack-n and its simple use. Jsunpack-n There are other features that need to be tested, because I was just touching these things. This paper makes an experiment on one of the "function points".

There is no guarantee that the jsunpack-n must have the key function point of the experiment, only the use of experiments to confirm the existence of this function point.

Copyright Notice

This article was originally published in the CSDN blog platform. Please reprint in the article corresponding location. Indicate the content of this article copyright!
This article link:Http://blog.csdn.net/lemon_tree12138/article/details/50727135–coding-naga
　　　　　　　　　　　　　　　　　　 　　　　　　　　　　　　　　　　 -Reprint please indicate the source

Lab Environment:Windows-related

• Windows 7
• WireShark

Linux-related

• Ubuntu 14.04 LTS Desktop Version
• Python 2.7.6
• TCPDump
• Jsunpack-n

Test:

Malware analysis know-how and toolbox 12.2.1 isolate encrypted data from captured packets

Experimental steps:I. Capturing file transfer steps using Wireshark

1. Select a mailbox (163 in this case) for mail delivery.

2. Write a copy of the file for sending. The writing of this document is "Upload Test", the content is:
Just a test for upload.

3. Open the installed Wireshark and set the filter parameters to HTTP.

For example, the following:

4. When uploading and sending the above file contents, you can obtain the following traffic capture results, for example:

5. Select. Above the contents of the box, you can see that the HTTP protocol has the following content, for example:

6. The name of the file can be obtained from the above:Upload Test.txt and the length of the file is 23 bytes.

7. Check the media type content again to see that the file contents have been captured:

Ii. capturing file transfer steps using Tcpdump

1. Install jsunpack-n correctly as described in the previous document

2. Create a test file. Used for file upload. The file name and contents are as follows:

3. Open the Tcpdump and monitor the network traffic.

Commands such as the following:
$ s Udo Tcpdump-i eth0-w 163.pcap

4. Enter 163 mailboxes from Ubuntu Desktop browser. and add the above test file to the attachment. Then send the message

5. After the message is sent successfully, disconnect the tcpdump from the monitor. Use Jsunpack-n to analyze the contents of the packet capture.

Commands such as the following:
$ p Ython jsunpackn.py xxx/163.pcap-s-j-v

6. The following is a partial analysis of the results:

7. View the result file of the Jsunpack-n analysis and enter the./temp/files. Use the following command to analyze:
$ file *

8. The above analysis results can be seen in the following examples:

Can see the original format type of these intercepted files.

9. Use WinSCP to download these files locally. and rename it in the corresponding format, for example, the following:

10. From the above files, no bytes have been found for the contents of the test file.

The file name of the test file was only found in the file stream_15a5b6dcb804326549627e8a0c3f528dc04a3587. The contents of the stream_15a5b6dcb804326549627e8a0c3f528dc04a3587 file are as follows:
{' Code ': ' S_OK ', ' type ': 0, ' var ': {' Attachmentid ': 1, ' fileName ':'test_upload.txt', ' ContentType ': ' Text\/plain ', ' size ': +, ' actualsize ': +}}

11. For the credibility of the experiment. This will download the Jsunpack-n parsed network package file 163.pcap file to local, and use Wireshark to parse. The results of the parsing are as follows:

Experimental Conclusion:

From the above experiment. The following two results can be obtained mainly:

1. Use jsunpack-n cannot parse tcpdump crawled packet file. Upload the content information of the file;

2. Use Wireshark to parse out the content information of the same packet file that the tcpdump fetches and upload the file.

From this point. To be able to get a preliminary, using jsunpack-n cannot intercept the conclusion of uploading files over the network.

Jsunpack-n analog Wireshark Intercept file transfer