Last active
December 20, 2019 19:01
-
-
Save Tony3-sec/e5ba6d524b5ae3c09a53deba225eb4ca to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## If the wireshark "Export Objects" does not work well, you can still extract the files manually. | |
| ## If the file data is present in SMB "Write" packet... | |
| 1. Choose the "Write Request" packet which contains the file data you're interested | |
| 2. Open the "Data" section and highlight "Data:" and right click on it | |
| 3. You can either... | |
| A. Choose "Copy" > "as a Hex Stream" and paste the data in note pad. | |
| B. Choose "Export Packet Bytes" and save each data as file. | |
| NOTE: Order of the packet is very important! Pay attention to the data offset value. Make sure to get the data in right order! | |
| 4. Repeat step 1-3 until you got all the data. | |
| 5. If you chose A option in step3... | |
| Once you copied all data from each packets, paste the hex data to hex editor and save it. Done! | |
| If you chose B option in step3... | |
| Once you saved all data, concatenate the saved files in to one file. | |
| e.g.) cat data01.raw data02.raw data03.raw > concat.raw | |
| Done! | |
| ## If the file data is present in SMB "Read" packet... | |
| The file data are present in "Read Response" packet, so make sure to choose the Data field in "Read Response" packet. | |
| Other than that, same process as above. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment