Safe HEX

I was mainly raised by my Grandmother as punk kid growing up in the hills of Tennessee. Of course she had a ton of catchy sayings that probably would have made her a bumper sticker or refrigerator magnet millionaire. One of my favs is: "Knowledge is no good unless it is shared" I have tried to live my life as close to that as possible. I teach an Internet Safety class to parents to help get them to not be afraid of the Internet for their kids and their use. One of the Dudes came up to me and asked if it is possible to see what imagines their employees are actually looking at online. Possible sure, but you have enjoy hex. He thought I was a perv and ran out of there faster then crap though a goose.

In forensic terms we always go back to the hex. And no I am not going to do any cheesy Hex--Sex double entendres like a goober newscaster, I PROMISE! Hex is the key data reassembly just like the software interrupter would do. The trick is getting in the middle of that transmission to intercept the stream without breaking the flow from source to destination. So this gives me a few options:
- ARP spoof MiTM (good for old school and on paper)
- SPAN port/TAP
- Install WinPCap, a Netcat listener and a lightweight sniffer like WinDump (on a Windows target, TCPDump on a Linux target) on the target machine.
Each of these options depends on my autonomous control of each sector of the network. Certainly the most complicated of the three options is the third one since it requires either physical access or skulduggery to trick a client to download a trojan which is very rare to hold up in Federal Court. Trust me on that one, I am still looking for a piece of my tail in one such case...

I am positive there are as many ways to recover a graphic out of a hex stream as there is to making good chili. This is how I normally do it. Lets use a jpg for reference but this could easily apply to gifs, bmps, etc...
- Activate my preferred intercept method. For me, I use a passive TAP connected to a modified wireless travel router velco'ed to the bottom a desk. A hub also would work IF it is a TRUE hub and lightweight-small. Most are not.
- I fire up Wireshark to look at the traffic from the target. Now typically, I do not want all of the other stuff on the Ether, so I write a http capture filter: tcp[0:2]==80 this tells Wireshark to start looking at position 0 and end with position 2 for any TCP packet equal to 80.
- Typically I can see a HTTP GET request fetching a jpg file but really depends how fast the stream is scrolling-n-rolling.
- After I capture the data needed, I use one the coolest features in Wireshark; Follow the stream. To make it simple, I search for a HTTP GET where a graphic was fetched. It should display something like: HTTP GET /somegraphic.jpg HTTP/1.1
Now I right click on this frame and select: Follow TCP Stream
- This will open up another window with the actual stream itself. Now I just select the radio button at the bottom the states: RAW Hey kinda like WWE Raw on Monday Night! Any Wrestling fans in the house! Now select: Save As and give a easy to remember file name.
- I need to go to my hex editor and strip away all of the HTTP headers and mess that goes along with it to get to the good stuff. Personally, I like the editor Neo Pro from the folks at HHD Software: http://www.hhdsoftware.com/Family/hex-editor.html they also have a free version that works great and can do this operation as well. I also give some high props to XVI32 which is another cool hex editor at http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm I use the pro version of Neo Hex for other forensic stuff I need to do, but I'll save that for another blog.
- I am looking for either the hex string value: FFD8FFE000104A464946 or the ASCII string value:ÿØÿà..JFIF The majority of time, you will see the ASCII string first. This indicates the START of the jpg file and if this is a large capture the hex FFD9... indicates the end of a jpg. Now I just highlight all of the crap before the start of the jpg and I delete it. Now I am just left with the actual raw jpg decode itself. Now I just save this file with another name.
- I open up this newly saved file with my web browser and would you look at that! There's the graphic!

It is important to understand how to reassemble and manipulate code in a hex editor. Communication MUST play be certain rules on the wire. We can use those rules to our favor to uncover the hidden network all around us. I will be discussing more about this in upcoming blogs.

Jimmy Ray Purser

Trivia File Transfer Protocol
If you are looking to get into movies; think twice if you get offered a part in the movie: "The Incomparable Atuk" All the leading Dudes offered the role have died. Sam Kinison, John Belushi, Chris Farley and John Candy where offered the role. Heck Farley just showed the script to Phil Hartman and he was murdered that same year.

• Security
• Cisco
• hacking
• Hex editing
• Jimmy Ray Purser