Extract File from Smb

[Ivan Oudkerk]

Hello friends, is posible to extract files in smb traffic?

thanks!

[Wes]

On Monday, April 25, 2016 at 3:35:11 PM UTC-4, Ivan Oudkerk wrote:
> Hello friends, is posible to extract files in smb traffic?
>
> thanks!

Ivan,

Have you considered using NetworkMiner to do this from a PCAP?

http://www.netresec.com/?page=Blog&month=2011-01&post=Analyzing-the-TCPIP-Weapons-School-Sample-Lab

You could also do this via Wireshark:
https://www.blackbytes.info/2012/01/four-ways-to-extract-files-from-pcaps/

Thanks,
Wes

[Ivan Oudkerk]

Hi Wes, thanks for the answer.

Now i am using networkminer, but i want to do this with a script :p

with the event "file_sniff" maybe i can do it

[Ivan Oudkerk]

file_sniff not work with smb.

so i have to use SMB protocol analizer.

for the moment i have this.



module FileInspectSmb;

export {

const smbports = { 135/tcp, 137/tcp, 138/tcp, 139/tcp, 445/tcp };
}

event smb_com_write_andx (c: connection, hdr: smb_hdr, data: string){
print "smb write andx";
# the data contains the file, but it's a mix of strings and opcodes. so i can't write the data into a file. is posible to recibe hex insted of plain strings?
}

thanks!

[Wes]

Ivan,

If you are trying to do this with Bro, I would recommend reaching out on the Bro mailing list, as I have not had much experience with this. Others on the list may be of further assistance.

http://mailman.icsi.berkeley.edu/mailman/listinfo/bro

Otherwise, you could try the methods described here using other utilities:
https://www.sans.org/reading-room/whitepapers/tools/extracting-files-network-packet-captures-36562

Thanks,
Wes

[Ivan Oudkerk]

Ok!

thanks Wes, when i have the answer i will publish here.

have a good day!