Post 3: Recreate a Website from a Pcap Capture
January 8, 2019 at the_time(); ?> | In Network Forensics | No CommentsRecreating a website to see what the website looks like using pcap capture is possible, by first finding the packet that has HTTP protocol. Filter the packet to only show HTTP by using the command ‘http’.
Find the packet that has a website on it, by looking at the info, and right click then select follow TCP stream.
A new window will pop and show the HTML code of the selected website, as shown below.
Change the data into raw data by selecting ‘Raw’ from the show and save data on the bottom part of the window, then save it by clicking ‘save as’.
Go to the location of the saved file and open it in a browser, and you will see that the website has been successfully created.
Post 2: Common Ports and Protocols
January 2, 2019 at the_time(); ?> | In Network Forensics | No CommentsIn programming, a port is a way for the client program to specifically specify certain programs on a computer in a network, using TCP/IP. Ports have assigned numbers that have been assigned by the Internet Assigned Numbers Authority, or IANA. When a server starts, it will automatically bind to the assigned port number. Port numbers range from number 0 to 65535. Well-known ports starts from port number 1 until port number 1024. Well-known ports are for communication from the application endpoints to the TCP and UDP of the internet. In network forensics, well-known ports are very important to identify what protocol is used in the network traffic, and to analyze if the protocol had vulnerabilities in it.
Here are the list of well-known ports that should be memorized by investigators.
20(UDP) = FTP data
21(TCP/UDP) = FTP
22 = SSH
23(TCP) = Telnet
25(TCP) = SMTP
80(TCP) =HTTP
110(TCP) = POP3
143(TCP) = IMAP
443(TCP) = HTTPS
389(TCP) = LOAD
3306(TCP) = MYSQL
5432(TCP) = PostgreSQL
995(TCP) = IMAPS
993(TCP) = POP3S
564(TCP) = SMPT over SSL
587(TCP) = SMTP over TLS
123(UDP) = NTP
113(TCP) = DENTD
69(UDP) = TFTP
3128(TCP) = HTTP proxy
8080(TCP) = HTTP proxy
3389(TCP) = Remote desktop
5901(TCP) = VMC
6660-7002(TCP) = IRC
Source:
- https://searchnetworking.techtarget.com/definition/well-known-port-numbers
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^