Jsunpack-n analog Wireshark Intercept file transfer

Preface:

In the previous experiment, we carried out the installation of jsunpack-n and its simple use. Jsunpack-n There are other features that need to be tested because I'm just touching these things. This article is an experiment on one of the "function points".

There is no guarantee that the jsunpack-n must have the key functional point of the experiment, just using experiments to verify that the function point exists.

Copyright Notice

This article is published in CSDN blog platform, please reprint in the corresponding location of the article, annotated with this article copyright related content!!!
This article link:Http://blog.csdn.net/lemon_tree12138/article/details/50727135–coding-naga
　　　　　　　　　　　　　　　　　　 　　　　　　　　　　　　　　　　 -Reprint please indicate the source

Lab Environment:Windows-related

• Windows 7
• WireShark

Linux-related

• Ubuntu 14.04 LTS Desktop Version
• Python 2.7.6
• TCPDump
• Jsunpack-n

Experiment Reference:

Malware analysis know-how and toolbox 12.2.1 isolate encrypted data from captured packets

Experimental steps:I. Capturing file transfer steps using Wireshark

1. Select a mailbox (163 in this case) for mail delivery;

2. Prepare a document for sending, where the sending document is "Upload Test" with the following contents:
Just a test for upload.

3. Open the installation complete Wireshark and set the filter parameter to HTTP. As follows:

4. When uploading and sending the above file contents, the following traffic capture results can be obtained:

5. Select, above the contents of the box, you can see the following content in the HTTP protocol:

6. The name of the file can be obtained from the above:Upload Test.txt and the length of the file 23 bytes;

7. Re-check the media type content, where you can see that the contents of the file have been captured:

Ii. capturing file transfer steps using Tcpdump

1. Install jsunpack-n correctly as described in the previous document

2. Create a new test file to use for file upload. The file name and contents are as follows:

3. Open the Tcpdump and monitor the network traffic. The command is as follows:
$ s Udo Tcpdump-i eth0-w 163.pcap

4. Enter 163 mailboxes from Ubuntu desktop browser and add the above test files to the attachment. Then send the message

5. After the message is sent successfully, disconnect the tcpdump from the monitor. Use Jsunpack-n to analyze the contents of the packet capture. The command is as follows:
$ p Ython jsunpackn.py xxx/163.pcap-s-j-v

6. The following is a partial analysis of the results:

7. View the result file of the Jsunpack-n analysis and enter the./temp/files. Use the following command to analyze:
$ file *

8. The above analysis results are as follows:

You can see the original format type of these intercepted files.

9. Use WinSCP to download these files locally. and rename it in the appropriate format, as follows:

10. From the above files, no bytes have been found for the contents of the test file. Only the file name of the test file was found in the file stream_15a5b6dcb804326549627e8a0c3f528dc04a3587. The contents of the stream_15a5b6dcb804326549627e8a0c3f528dc04a3587 file are as follows:
{' Code ': ' S_OK ', ' type ': 0, ' var ': {' Attachmentid ': 1, ' fileName ':'test_upload.txt', ' ContentType ': ' Text\/plain ', ' size ': +, ' actualsize ': +}}

11. For the reliability of the experiment, download the JSUNPACK-N parsing network package file 163.pcap file locally and use the Wireshark to parse it. The parsing results are as follows:

Experimental Conclusion:

From the above experiment, the following two results can be obtained:

1. Use jsunpack-n can not parse the tcpdump crawl packet file, upload the contents of the file information;

2. Using Wireshark can parse out the same packet file that tcpdump crawl, upload the content information of the file;

From this point, it can be preliminarily obtained, using jsunpack-n cannot intercept the conclusion of uploading files over the network.

Jsunpack-n analog Wireshark Intercept file transfer