Post 3: Recreate a Website from a Pcap Capture

January 8, 2019 at | In Network Forensics | No Comments

Recreating a website to see what the website looks like using pcap capture is possible, by first finding the packet that has HTTP protocol. Filter the packet to only show HTTP by using the command ‘http’.

Find the packet that has a website on it, by looking at the info, and right click then select follow TCP stream.

A new window will pop and show the HTML code of the selected website, as shown below.

Change the data into raw data by selecting ‘Raw’ from the show and save data on the bottom part of the window, then save it by clicking ‘save as’.

Go to the location of the saved file and open it in a browser, and you will see that the website has been successfully created.

Post 2: Common Ports and Protocols

January 2, 2019 at | In Network Forensics | No Comments

In programming, a port is a way for the client program to specifically specify certain programs on a computer in a network, using TCP/IP. Ports have assigned numbers that have been assigned by the Internet Assigned Numbers Authority, or IANA. When a server starts, it will automatically bind to the assigned port number. Port numbers range from number 0 to 65535. Well-known ports starts from port number 1 until port number 1024. Well-known ports are for communication from the application endpoints to the TCP and UDP of the internet. In network forensics, well-known ports are very important to identify what protocol is used in the network traffic, and to analyze if the protocol had vulnerabilities in it.

Here are the list of well-known ports that should be memorized by investigators.

20(UDP) = FTP data

21(TCP/UDP) = FTP

22 = SSH

23(TCP) = Telnet

25(TCP) = SMTP

80(TCP) =HTTP

110(TCP) = POP3

143(TCP) = IMAP

443(TCP) = HTTPS

389(TCP) = LOAD

3306(TCP) = MYSQL

5432(TCP) = PostgreSQL

995(TCP) = IMAPS

993(TCP) = POP3S

564(TCP) = SMPT over SSL

587(TCP) = SMTP over TLS

123(UDP) = NTP

113(TCP) = DENTD

69(UDP) = TFTP

3128(TCP) = HTTP proxy

8080(TCP) = HTTP proxy

3389(TCP) = Remote desktop

5901(TCP) = VMC

6660-7002(TCP) = IRC

 

Source:

  • https://searchnetworking.techtarget.com/definition/well-known-port-numbers
« Previous Page

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^