Episode 513 – Extract Windows Executables from Packet Captures, PHP Gmail Badges, Winning the Easter Egg Hunt, and special guest Eighty of DualCore

Eighty of Dual Core comes down to the HakHouse to share with us a technique for extracting Windows executables from packet captures. Darren’s featuring some of the Gmail badge submissions and a walkthrough of the Easter Egg hunt. Plus be sure to stick around as Eighty treats us to a live performance off his upcoming album.

Download HD Download MP4 Download XviD Download WMV

Show Notes

While Matt’s away on business Eighty of Dual Core fills in with an awesome segment on extracting Windows executables from packet captures using tcpxtract.

Darren’s features some of the Gmail Badges from our recent Code Challenge.

Plus we’ve got a walk-through on winning the Easter Egg Hunt. Only *four* of over 300 submissions completed the puzzle. We’ve learned a bunch of lessons from this first hunt and will be sure to put together an even more in-depth hunt next time.


  • Shikata

    I agree Sparky. Kitties like to keep warm. 😛

    Love the .exe extract. (As the Security Analyst) I used to use Driftnet a lot to get an idea of the productivity of our users. That is until one of our coworkers started looking at porn. Long story short, we use Websense now. 😀

    As a Mac user, I’m assuming you could extract .DMGs with the right signatures. Is this correct?

    Btw Shannon, can you explain your process of putting on a seat belt? I’m quite curious as to why it takes 30 seconds. I think that would be a pretty good segment as well as advertisement for the click-it or ticket campain.
    …just messing with ya.
    …sort of

  • [3w`Sparky]

    it only takes 30 sec’s to put one on – i wondered what they were talking about !

    joking aside i’m from the UK and almost everyone wears a belt over here. the police have a ramp with a seat, they send you down the ramp and you simulate a crash at 30 mph (with the seatbelt) of course. but i think that helped push the point. myself I always buckleup, I wouldn’t want my friends thinking it was there fault should i die in an accident if I wasn’t wearing a belt.

    Yeah Easter egg hunt was cool. maybe there should be a couple of grades tho

    knewb = me

    semi = me oneday

    Pro hacker = would like to be

    not sure how you would regulate it tho ?

    as always tak5 cool show, PS now have the album :o)

  • ioyou

    Nice choice on monitoring your intranet.
    I can’t believe that someone decided to watch erotic videos during lol

    Ya that’s a good idea with the levels. although i got pretty far. I had all the clues just didn’t know that the password for the zip was the code of the last one.

  • Shikata

    I work at an institution (that is not an invite to trace my IP guys) and everyone thinks it’s their “RIGHT” to view what they want on the education network. It gets bad when they start doing it in class and it gets broadcasted to our electronic classrooms that are conferenced in 200+ miles away.

    I was giving you the benefit of the doubt to explain yourself, but if you’re just going to blame on the noobs I would like you to time yourself the next time you put your seat belt on.

    0-2s – You’re ok
    3-5s – You’re getting old
    6-10s – Drunk/Noob
    11-15s – You’re high and can’t figure it out.
    15+ – You are autistic and/or have ADHD (or your name is Shannon)

    Please give us the results. I also welcome anyone to adjust my descriptions to your liking.

  • ioyou

    I would have never thought that they would watch it during class. Although i have lived in Germany and gone to school there, the only time people watch porn is usually during lunch or after school while nobody is around.
    That is what happened at my school since it has a 1gb uplink and everyone in the school who bought a laptop could access the network.

    But the sys admins got smart and decided to implement to implement new cisco switches which scan the packages.

    so now they have resorted to ssh tunneling to get passed the packaged scanning lol

    German students get resourceful lol.

    You must show us how you can take so long lol

  • Patrick

    If you’re going to be using debug to dump an EXE payload, wouldn’t you be sending it via ASCII in assembly? Then it converts the assembly lang to an exe and it wouldn’t have the binary header you’re referring to. That’s why it’s called a “bypass”, correct? There’s where the 64kb limit comes in — you’re limited to 64kb of plaintext (albeit asm) code. This is just from old memory — been a while for me.

  • choekstr

    Anyone know what tool int80 is talking about when he references “ida” (sp?) sandbox program? I did some google searches but didn’t come up with much. I currently use sandboxie but find it a bit obtrusive to the system and I have had a malware infected keygen break out of it and don’t trust it anymore. An alternative sandbox would be nice to try out.

    Thanks for any insight,

  • Erik

    A tool that is better at extracting files from pcaps is NetworkMiner. NetworkMiner can extract files of all formats, not just jpeg and exe. The secret is that NetworkMiner does deep packet inspection rather than file carving (like tcpxtract). This also makes it possible to extract files from HTTP sessions that use chunked or compressed transferes.

    Another cool thing with NetworkMiner is also that it can be used to sniff the traffic, so no need to sniff with one app and analyze with anoter anymore.

    Check it out on sourceforge:

  • Darren


    It’s funny you mention this. Stick around for next week’s show. NetworkMiner, as well as a similar fuller featured application, is shown.

  • Usedtire

    The best you could find was DualCore? That guy programs everything in Visual Basic. 😉

    Now being serious DualCore’s music is awesome and int eighty knows his stuff. He needs to be on the show moer often. Great episode. I learned a lot. Now I just need to get int eighty to explain it all to me.

  • Pingback: Hak5 – Technolust since 2005 » Episode 515 – Build your own SAN, PSP Hacking, Net Grep

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>