Wireshark Lab 3.0 Extracting ZIP files from PCAP and analysis with CyberChef (V1.

1)

OVERVIEW
When reviewing packet captures (pcaps) of suspicious activity, security
professionals may need to export objects from the pcaps for a closer
examination.
We will use a few PCAP files of network traffic to practice extracting
objects using Wireshark.

OBJECTIVE:
1- How to export Objects from HTTP traffic.
2- How to extract files from a PCAP File.

REQUIREMENTS:
Wireshark Application
OS (Windows, macOS, or Linux)

STEPS:
Part 1- Exporting objects from HTTP traffic

1
Part 1 - Download the PCAP file and run the filter
HTTP.Request—Creates a filter used when clients send a request to the Web server to
retrieve an HTML page. Request filters include the following scope: request method,
URL host, URL path, URL query, and HTTP header. HTTP Response

Download the PCAP for this lab using the link here Password: infected
Extract the file after you download it, then open the.PCAP file.After
opening the Pcap file, filter on http.request as shown in the picture below.

After filtering on http.request, we can see an HTTP Post request with a ZIP File.

2
Part 2 - Follow HTTP Stream.

To follow the HTTP stream, right-click on the packet you want to follow, then click
Follow then HTTP Stream, or use the keyboard shortcut CTRL+ALT+SHIFT+H. As
shown in the picture below.

3
Follow HTTP stream window:

Scroll all the way down as the picture below shows.

PK = means ZIP file
MZ = means Application, exe file

Since we are investigating zip files,we are going to look for any evidence in the Follow
HTTP stream window.

4
The picture below for HTTP Stream shows evidence that the HTTP packets are
carrying ZIP files.

You can search in the Find area by typing any key words. As an example, we will type
filename as shown in the picture below.

5
Part 3 - Export objects from HTTP Traffic

We can export these objects from the HTTP

object list by using the menu path:

File --> Export Objects --> HTTP...

The last file with the name / is the zip file.

When you click on it, the wireshire will
automatically highlights the zip file packet as
shown in Picture Below
Save the file on your computer
Name= (Firs+last name initial.zip)
EXample: fr.zip

6
Part 4 - Download HxD - Freeware Hex Editor and Disk Editor

Step 1: To download the software, click here.

Step 2: Install the software.
Step 3:
Open the software and then, as shown in the picture below, click on File and then
Open. or use the keyboard shortcut (CTRL + O)

Go to the place where you saved the wireshark file. And then click open.

7
As previously stated, the zip file hex code always begins with PK.

Look for the PK text, as shown in the pictures below, and delete what comes before it.

8
There will be a pop out window . Click the OK button.

The decoded text now starts with PK and the Hex-code starts with 50, as shown in the
picture below.

9
Click on File then Save as…, as shown in the picture below.

Save the new file and add the zip extension at the end, then click save as shown in
the picture below.

10
Go to where you save the file, then open the zip file as shown in the picture below.

The zip file (frzip.zip) has many files, like screenshot picture, web cookies,
information about computer hardware and systems, and more.

This concludes this lab.

Please discuss the following questions with your instructor.

11
LAB SUBMISSION REQUIREMENTS

Please submit a pdf with the following:

1. A screenshot of the snapshot taken once the lab is completed.

2. One to three screenshots demonstrating the configurations that you made
during this lab.
3. Discussion questions with your answers.

DISCUSSION QUESTIONS:

How do you export specific packets from Wireshark?

[type answer name here]

How do you extract data from Wireshark?

[type answer name here]

What is a Wireshark csv File?

[type answer name here]

12