Tutorial: Data Carvingdata carving
Since 2013 more and more traffic is encrypted, so the classic data carving will not work anymore. You may guess what happened in 2013.
Nevertheless, even the TLS/SSL protocol leaks still something and we still keep our old plugins alive for the community, so that students can label data for their work. Note, that there are still sites which use unencrypted protocols. Also people who do competitions like Capture the Flag (CTF) might be interested in such capabilities.
Last but not least, admins might also be interested in the use of unencrypted protocols when the content should be encrypted. These configuration mistakes happen from time to time and can wreck havoc in your organization.
These plugins help also the teaching community to demonstrate the danger of unencrypted traffic.
Plugins with Data Carving Capabilities
In the good old times, before 2013, a lot of traffic was not encrypted, so content could be extracted from the packets defining the flow. This process is called data carving. Tranalyzer (T2) has this ability, but each plugin operating on unencrypted data has to implement it. Hence, the following plugins provide a data caving mode:
|httpSniffer||Extract Pictures, Videos, Text, Documents|
|telnetDecode||Extract communication content, including user names and passwords|
|ftpDecode||Extract communication content, including user names and password|
|tftpDecode||Extract communication content, including user names and passwords|
|popDecode||Extract Emails, including attachments, user names and passwords|
|smtpDecode||Extract Emails, including attachments, user names and passwords|
|smbDecode||Extract all content, user names and passwords|
|voipDetector||Extract voice content|
|ntlmsspDecode||Extract decoded NetNTLMv1/v2 hashes, for white hat cracking experiments|
|payloadDumper||Dump the payload of TCP/UDP flows to files (similar to tcpflow)|
|pwX||Extract usernames and passwords for all unencrypted protocols|
Have fun data carving with T2!