Friday, April 07, 2006

TcpXtract - Revisited

You may heard about tcpxtract before, either from somewhere in the internet or the good write up at taosecurity blog. The cool factor of Tcpxtract is the element X where it able to eXtract and reconstruct file based on it's header and format out of pcap dump. Nick Harbour, develope this nifty tool for the sake of network forensic.

I was using foremost, to extract the msdos executable file(brontok worm) out of pcap dump. I decide to give tcpxtract a try. However tcpxtract natively doesn't support msdos executable format. I quickly google to see if I can get any clue and I found this -

http://www.windowsitlibrary.com/Content/356/11/1.html

It is very old tutorial but decent and detail in explaining portable executable file format(PE). With a little knowledge of it, I add this to the tcpxtract configuration file - tcpxtract.conf. This is the part I like about tcpxtract - flexibilities, you can add whatever format when you learn one.

#####################
# Msdos-executable
#####################

exe(10000000, \x4d\x5a);

I didn't add this part but I think some people might find it useful, this is to add PE header.

#####################
# Portable-executable
#####################

pe(10000000, \x50\x45\x00\x00);

Then I start to run tcpxtract against brontok_pcap to see if I able to get the result I want. You might have to create the directory for it's output first.

shell>mkdir tcp_extract

shell>tcpxtract -f brontok_pcap -o tcp_extract/



shell> ls -la tcp_extract/*.exe
-rwx------ 1 root root 76092 Apr 7 07:18 tcp_extract/00000001.exe
-rwx------ 1 root root 64985 Apr 7 07:18 tcp_extract/00000002.exe
-rwx------ 1 root root 52253 Apr 7 07:18 tcp_extract/00000005.exe

shell> file tcp_extract/00000001.exe
tcp_extract/00000001.exe: MS-DOS executable (EXE)

Here's the content of 00000001.exe which is similar to what I get when I use foremost previously.


Tinkering with tcpxtract is fun (:])

P/S: adli, hopefully this is helping .....

1 comment:

adli said...

ya actually foremost is giving better results for my brontok capture. tcpxtract is ok in some instance nevertheless :-)