Tutorial: Data Carving

data carving

Introduction

Since 2013 more and more traffic is encrypted, so the classic data carving will not work anymore. You may guess what happened in 2013.

Nevertheless, even the TLS/SSL protocol leaks still something and we still keep our old plugins alive for the community, so that students can label data for their work. Note, that there are still sites which use unencrypted protocols. Also people who do competitions like Capture the Flag (CTF) might be interested in such capabilities.

Last but not least, admins might also be interested in the use of unencrypted protocols when the content should be encrypted. These configuration mistakes happen from time to time and can wreck havoc in your organization.

These plugins help also the teaching community to demonstrate the danger of unencrypted traffic.

Plugins with Data Carving Capabilities

In the good old times, before 2013, a lot of traffic was not encrypted, so content could be extracted from the packets defining the flow. This process is called data carving. Tranalyzer (T2) has this ability, but each plugin operating on unencrypted data has to implement it. Hence, the following plugins provide a data caving mode:

httpSniffer	Extract Pictures, Videos, Text, Documents
telnetDecode	Extract communication content, including user names and passwords
ftpDecode	Extract communication content, including user names and password
tftpDecode	Extract communication content, including user names and passwords
popDecode	Extract Emails, including attachments, user names and passwords
smtpDecode	Extract Emails, including attachments, user names and passwords
smbDecode	Extract all content, user names and passwords
voipDetector	Extract voice content
ntlmsspDecode	Extract decoded NetNTLMv1/v2 hashes, for white hat cracking experiments
sslDecode	Extract certificates
payloadDumper	Dump the payload of TCP/UDP flows to files (similar to tcpflow)
pwX	Extract usernames and passwords for all unencrypted protocols

Have fun data carving with T2!