RE: project

["Rob Shein" <shoten () starpower net>]

Once he's reassembled the streams, the rest should be a bit more obvious.
If he can read the data in the protocols, he can also recognize them; if he
can't, there's no point to even having anything to look at in the first
place.

-----Original Message-----
From: David Pick [mailto:d.m.pick () qmul ac uk] 
Sent: Wednesday, April 30, 2003 12:37 PM
To: pen-test () securityfocus com
Subject: Re: project 



> I mean I have captured data using Tcpdump (i.e. raw data), how to I 
> recombine the data into the orginal word attachment (or like)? Cannot 
> seem to find any information anywhere on the technical involved in 
> this.

You'll not only need to reassemble the packet streams, you'll also need to
know what protocol was used to transport the higher-level data. For example,
was the data flowing over a "connection" to a file server? if so you'll need
to work out which protocol was used (NFS, CIFS, NCP, something else...). Or
if it was carried by EMail you'll need to extrace the message text from the
SMTP (or POP or
IMAP) protocol information and then (perhaps) extract individual attachments
from the message, and then reverse the Base64 encoding (or whichever it was)
and then...

-- 
        David Pick


---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------