Exercise 1
Description: Extract the web object image from wireshark3.pcap and view it. According to the extracted image, what did Snort save?
Exercise 2
Description: Carve and decode the base64-encoded message from the SMTP exchange between 10.10.10.10 and 10.10.10.25. What does it say?
First, we apply a filter to capture all the packets involved in this exchange:
Then, we can right-click on any of these packets so that we can follow the TCP stream for this conversation:
We can then save this stream as ‘raw’:
Using notepad, I can now edit the file I just saved.
I have to delete all lines above and below the single base64-encoded line and delete all blank lines.
I can now decode the resulting base64-encoded carved file. There are many online base64 decoders available. I can also use built-in tools on most operating systems.
For Windows, I am going to use the built-in certutil command-line tool. The certutil command with the –decode option takes in a base64 file and outputs the decoded file. The format is:
The encoded message says: You rock big time!
Leave a Reply