Tutorial: Data Carving

data carving

Introduction

Since 2013 more and more traffic is encrypted, so the classic data carving will not work anymore. You may guess what happened in 2013.

Nevertheless, even the TLS/SSL protocol leaks still something and we still keep our old plugins alive for the community, so that students can label data for their work. Note, that there are still sites which use unencrypted protocols. Also people who do competitions like Capture the Flag (CTF) might be interested in such capabilities.

Last but not least, admins might also be interested in the use of unencrypted protocols when the content should be encrypted. These configuration mistakes happen from time to time and can wreck havoc in your organization.

These plugins help also the teaching community to demonstrate the danger of unencrypted traffic.

Plugins with Data Carving Capabilities

In the good old times, before 2013, a lot of traffic was not encrypted, so content could be extracted from the packets defining the flow. This process is called data carving. Tranalyzer (T2) has this ability, but each plugin operating on unencrypted data has to implement it. Hence, the following plugins provide a data caving mode:

httpSniffer Extract Pictures, Videos, Text, Documents
telnetDecode Extract communication content, including user names and passwords
ftpDecode Extract communication content, including user names and password
tftpDecode Extract communication content, including user names and passwords
popDecode Extract Emails, including attachments, user names and passwords
smtpDecode Extract Emails, including attachments, user names and passwords
smbDecode Extract all content, user names and passwords
voipDetector Extract voice content
ntlmsspDecode Extract decoded NetNTLMv1/v2 hashes, for white hat cracking experiments
sslDecode Extract certificates
payloadDumper Dump the payload of TCP/UDP flows to files (similar to tcpflow)
pwX Extract usernames and passwords for all unencrypted protocols

Have fun data carving with T2!