Intercepting Files with tcpdump
It’s actually possible to intercept files on a network, unencrypted ones at the very least. However it is likely you will also be able to retrieve the encrypted information also, and given you have access to the cipher type or the authorisation key for the encryption you will be able to gain access to it.
This is a handy tool for any responsible admin, and of course the tool of choice for the hacker. It’s the network admins job to watch out for odd files & identify them, as much as it is the crackers/hackers choice to seruptiously wait for a *given* type of information, intercept it, log it and access it.
It’s as simple as
tcpdump -i eth1 -s0 -w rawdump host picard
Packets of course will often arrive to the interface out of order, or duplicated. Also there’s the problem of packets from one file transfer arriving inter-mixed with packets from another data transfer. Many other problems also exist to make files harder to find, so I use tcpflow to order the data.
tcpflow -r ../rawdump
You can use tcpflow to break the data down into each flow file and extract data from it, use find to accomplish this without
find ./ -exec cat ‘{}’ \; > dump
Now that everything is nicely ordered together, just run foremost and wait for it to extract the data. I could have just run foremost on the rawdump file, but that would result in incomplete and corrupted data.
Any suggestions or improvements are welcome!
Wouldn’t it be nice to make a nice little shell script out of this? Oh the joys…
Original Article Source: http://www.debian-administration.org
Many thanks for thomasl of debian-administration for this article!