1. Filter Wireshark for the FTP packets.
  2. Now if you already know the format of the file you are looking for great, if not, find the packet that says “Transfer OK” or “Transfer Complete”. Work backwards from that packet and find the name of the file and format.
  3. Google the format’s File Signature (i.e. PPTX File Signature). Then, in Wireshark CTRL+F and look for the Hex value of the File Signature.
  4. Right click the packet and click on Follow > TCP Stream.
  5. Once that is loaded change Show and save the data as “RAW”. Click on Save as…

The below video uses Capture the Packet’s scenario 1 | Insider Threat | Obfuscation. This is a private video. The video starts off on Step 3 and continues to on to find the secret message and decodes it.

--

--

Full video of my thought process/research for this walkthrough below.

All tasks/questions and answers beneath the video.

Format:

Question

Answer

Tasks 1–6

No answers needed

Task 7

When did the scan start in Case 001?
Feb 28, 00:04:46

When did the scan end in Case 001?

Feb 28, 00:21:02

How many ports are open in Case 001?

3

How many total vulnerabilities were found in Case 001?

5

What is the highest severity vulnerability found? (MSxx-xxx)

MS17–010

What is the first affected OS to this vulnerability?

Microsoft Windows 10 x32/x64 Edition

What is the recommended vulnerability detection method?

Send the crafted SMB transaction request with fid = 0 and check the response to confirm the vulnerability.

--

--