Reconstructing a Transmitted File

Previously I’ve blogged about taking initial steps using Wireshark to inspect data within a network to see what data might be leaking on a network. If there does happen to be unencrypted information being transmitted on a network you may want to see exactly what that data is in order to know how important the data is that is being exposed. I’ve created a tutorial using Wireshark and a hex editor that will allow you to reconstruct a binary from raw transmitted data.

Once you have Wireshark loaded up, navigate to a site that does not use HTTPS and you should (albeit briefly) see the data from the website collected by Wireshark. I used a site called bonsaitreegardener.net which I know has a lot of images so it allowed me to easily reconstruct an image file.

Now you have the data within Wireshark, hit the stop capture button in the toolbar and enter “http” in the display filter box at the top which will restrict the output to mainly data from the website you chose. Right click “Follow” and choose TCP Stream. This will open a separate window with the full TCP output, we will need to change the output to Raw in the “Show and save data as:” drop-down box.

The data will change from having small aspects of legibility to being a stream of hex letters and numbers. It’s best to use a Hex editor to manipulate the stream as it will be displayed with a clear structure, as I use macOS I chose a hex editor called Hex Fiend, but there are others out there so find the one that’s best for you. Copy the data across from Wireshark (right click and choose select all, then right click copy) and into your hex editor.

The mass of data can seem overwhelming and it can seem difficult to even get started in extracting a usable file from this data, but once you examine the file you’ll see that as long you can determine the file’s signature, it is relatively simple to extract the data. I used a list of signatures by Gary Kessler which lists the defining characteristics of a file and as I already knew I had a large number of JPEG’s as part of the stream I ignored any other file signatures. In reality it would be likely you wouldn’t know the exact format information was being broadcasted in ahead of time.

Finding a JPEG Signature within Hex Fiend

According to Garry Kessler’s website a JPEG’s signature is  the hex characters FF D8 at the start of a file and FF D9 at the end, so within Hex Fiend I searched for the start and end characters in a block of hex text and then deleted all characters surrounding this block. When you have your block of hex, save the information within Hex Fiend using a name of your choice along with the extension of the file. This file should then be accessible and viewable.

Reconstructed Image
My final reconstructed image

You could carry on sifting through the data to find even more JPEGs but this at least gives you an example to follow. There are also automated methods for extracting binaries from raw data, but like me you may find you understand how a piece of technology works if you know more about the foundations.