Been testing a neat little app called tcpxtract.

What it does is grab files from sniffed traffic though “carving”. Can be
used against live sniffing or against a pcap file.

Findings so far:

First, I thought I would run it against a kismet pcap file I had laying
Turned up with a couple of images, must have been people browsing the web.
I would assume other files would work no problem, since wireless it is not a
switched network and all the traffic anyone can see.


Second, I thought I would fire up ethereal and bind
it to my local Ethernet card to sniff.
I did a few file transfers during the sniff. SCP, FTP, Windows SMB Share(AD
Saved the sniff in a pcap file and ran tcpxtract against it.

– SCP, I obviously did not grab that file I transferred.
– FTP, Do I even have to tell?
– SMB, Yep grabbed that file too


Third, I was thinking this isn’t that useful. Why do I want to see my own
files transferred and on
a wireless network anyone to transfer anything useful, is just plain stupid.

So, I got to thinking how about a “man in the middle” attack? I Fire up the
handy ettercap
and poison the arp cache on the switch and route all traffic to my local
Ethernet card and then route the packets to their final destination.

Now since all the switch traffic is running though my Ethernet device. I
bind tcpxtract to my
local Ethernet device. And the files started to pour in (mpg, mp3,doc,pdf ,
etc) a lot.


Now, I’m sure people see the danger here. For security testers/auditors its
a way to rid your company of using
ftp and other non-secure protocols. Do that attack against some highly
sensitive servers, and then show your
manager all the nice sensitive documents you mined!

I will be looking into other methods of using tcpxract.