Well, it appear to be easy, but not for me 🙂
Here how looks like capture result in Wireshark:
If You Google “Content-Encoding: gzip decode”, You got list of solutions, none of which worked for me 🙂 Ok, but I have to be sure it RedKit Exploit Kit payload page!
Ok, lets see what we can do.
If You see previous screen, I assume You already in Wireshark – Follow TCP stream
Now we need to choose only response – bottom line drop-menu – choose instead of Entire Conversation – [Remote IP]:[protocol] to [Local IP]:[protocol]
and press Save As buttin. Save as sample.gz << If You not sure, why it .gz – default extension for gzip archive is .gz 🙂
If You try to extract now, it will fail with error that archive is corrupted.
Ok. Now we need Hex Editor. I use GHex, You welcome to use Your favourite.
Open sample.gz in hex editor:
Now we need to remove all HTTP header.
We should leave only gzip data itself, and few other bytes, until we’ll see in hex window combination of two bytes: 1F 8B
Hint: This is standard beginning of gzip archive. 🙂
Here how it looks like:
Ok. Now we can save the file. And extract it as regular gzip archive.
In same folder You’ll find file sample.html (or whatever was encoded).
Right click – Edit:
So – it is RedKit Exploit kit 🙂
Now we have another detail for next case 🙂
Meanwhile stay safe and good luck!