File Extraction
Extract transferred files and save them to disk
Introduction
Various protocols allow transferring files (e.g: HTTP, POP3) and some are made for the sole purpose of transferring files (FTP, SMB etc).
From a network security monitoring perspective, transferred files are interesting because they can contain malicious software or prohibited content.
Netcap extracts files from HTTP and saves them to disk, for both HTTP responses and HTTP requests.
It uses the File audit record type to model the extracted information.
Future versions will add file extraction support for other protocols as well.
File Audit Records
The audit record definition for a file looks like this:
As can be seen, the content type indicated by the HTTP header is included, as well as the content type that was detected. In addition, the source of the File is specified (e.g: from HTTP, Mail attachment etc), as well the identifier of the connection where it originated from.
The Hash field currently holds an MD5 hash of the file, Location points to the path on disk where the file is stored.
This will likely be replaced with a stronger hash function in the future.
Usage
To enable file capture, set the -fileStorage flag and supply a path to store the files to (will be created if it does not exist):
After capturing, lets inspect the directory contents:
As you can see, files are sorted by their MIME types retrieved from classifying them using the go standard library and named after the TCP connection they originated from.
By default, only complete requests and responses are captured, if you also want to extract incomplete data, use the -writeincomplete flag:
Dumping a File on the commandline looks like this:
For properly exploring files for each host I recommend using the Maltego Integration:
Maltego IntegrationLast updated