Data carving

data carving FTP HTTP NTLM NTLMSSP POP username password unencrypted TCP UDP SMB SMTP SSL TLS Telnet TFTP VoIP RTP


Since 2013 more and more traffic is encrypted, so the classic data carving will not work anymore. You may guess what happened in 2013.

Nevertheless, even the TLS/SSL protocol leaks still something and we still keep our old plugins alive for the community, so that students can label data for their work. Note, that there are still sites which use unencrypted protocols. Also people who do competitions like Capture the Flag (CTF) might be interested in such capabilities.

Last but not least, admins might also be interested in the use of unencrypted protocols when the content should be encrypted. These configuration mistakes happen from time to time and can wreck havoc in your organization.

These plugins help also the teaching community to demonstrate the danger of unencrypted traffic.

Plugins with data carving capabilities

In the good old times, before 2013, a lot of traffic was not encrypted, so content could be extracted from the packets defining the flow. This process is called data carving. Tranalyzer (T2) has this ability, but each plugin operating on unencrypted data has to implement it. Hence, the following plugins provide a data caving mode:

ftpDecode Extract FTP communication content, including user names and password
httpSniffer Extract HTTP pictures, videos, text, documents, …
ntlmsspDecode Extract decoded NetNTLMv1/v2 hashes, for white hat cracking experiments
payloadDumper Dump the payload of TCP/UDP flows to files (similar to tcpflow)
popDecode Extract POP emails, including attachments, user names and passwords
pwX Extract usernames and passwords for all unencrypted protocols
smbDecode Extract SMB content, user names and passwords
smtpDecode Extract SMTP emails, including attachments, user names and passwords
sslDecode Extract SSL/TLS certificates
telnetDecode Extract Telnet communication content, including user names and passwords
tftpDecode Extract TFTP communication content, including user names and passwords
voipDetector Extract voice content from RTP flows

Have fun data carving with T2!