Thursday, August 18, 2011

Extracting TFTP data from pcap files with Scapy

  I've come across another challenge on This time it was about analyzing a pcap file. When we open the OperationNEPTUNE.pcap in Wireshark and going to Statistics->Conversations we see a couple of TFTP file transfers.

Usually we extract the data by following the TCP/UDP stream, specifying the direction on which the data is sent, "save as" then clean the added data with a hex editor (Okteta or MadEdit on Linux).

In this case however, every data packet payload sent begins with an TFTP opcode on 2 bytes (0x0003 == Data packet) followed by the block number on 2 bytes incremented each time. (0x0001, 0x0002, 0x0003 etc...)

This means that not only we have overhead data at the beginning of the stream but also in the middle.
00 03 00 01 data1 00 03 00 02 data2 00 03 00 03 data3 00 03 00 04 data etc...
Sometimes, 4 bytes for each 512 bytes of data is not a big deal like a .wav file in this pcap where It was readable and not really altered by removing 00 03 00 01 at the beginning only (It should be removed because each file begins with it's format's magic number which is the beginning of data1 in this case).
But in other cases, like a .7z file contained in the same pcap, the integrity of the data shouldn't be altered.

Obviously, it would be very non-productive to clean all the data stream manually with an editor.
In Wireshark we first filter out packets that don't interest us, applying this display filter:
tftp.opcode == 3 and tftp.destination_file == "IECache.7z"
Then we go to File->Save As..., select Displayed and choose a file name.

After that we fire Scapy and read the pcap file.
>>>packets = rdpcap("IECache.pcap")
<IECache.pcap: TCP:0 UDP:569 ICMP:0 Other:0>
Then we iterate over the packets list and write the data to the output file without the first 4 bytes.
>>> f = open("IECache.7z","w")
>>> for p in packets:
. . .        f.write(p.load[4:])
. . .
>>> f.close()
and that is it.
$ file IECache.7z
IECache.7z: 7-zip archive data, version 0.3
We could have used automated pcap extraction tools like NetworkMiner on Windows or Xplico on Linux (Both are Open Source and free), but nothing beats Scapy, the networking Swiss Army Knife. ;)

1 comment:

  1. Hi all,

    TFTP is a simple protocol to transfer files. This is designed to be small and easy to implement, therefore, lacks most of the features of a regular FTP. It only reads and writes files from a remote server. It cannot list directories and currently has no provisions for user authentication. Thanks a lot.......

    Data Extraction Software