Read Content-Encoding: gzip data from captured stream


Well, it appear to be easy, but not for me πŸ™‚

Here how looks like capture result in Wireshark:

If You Google “Content-Encoding: gzip decode”, You got list of solutions, none of which worked for me πŸ™‚ Ok, but I have to be sure it RedKit Exploit Kit payload page!

Ok, lets see what we can do.

If You see previous screen, I assume You already in Wireshark – Follow TCP stream

Now we need to choose only responseΒ  – bottom line drop-menu – choose instead of Entire Conversation – [Remote IP]:[protocol] to [Local IP]:[protocol]

and press Save As buttin. Save as sample.gz << If You not sure, why it .gz – default extension for gzip archive is .gz πŸ™‚

If You try to extract now, it will fail with error that archive is corrupted.

Ok. Now we need Hex Editor. I use GHex, You welcome to use Your favourite.

Open sample.gz in hex editor:

Now we need to remove all HTTP header.

We should leave only gzip data itself, and few other bytes, until we’ll see in hex window combination of two bytes: 1F 8B

Hint: This is standard beginning of gzip archive.Β  πŸ™‚

Here how it looks like:

Ok. Now we can save the file. And extract it as regular gzip archive.

In same folder You’ll find file sample.html (or whatever was encoded).

Right click – Edit:

So – it is RedKit Exploit kit πŸ™‚

Now we have another detail for next case πŸ™‚

Meanwhile stay safe and good luck!




one comment

  1. Hey Dennis,

    This was super helpful but I am a little bit stuck. I have a Hex file and I am trying to remove the HTTP Header using a hex editor…
    In wireshark I follow the TCP Stream and then when saving I save as “Raw” with a .gz format

    When removing the the HTTP Header how much should I remove?

    Should we remove everything including “Content-Encoding: gzip” if you could post further images on your site or the succesful gzip file so I can use a hex editor to analyse before and after that would be great! Thanks

    My Hex file looks this…

    Content-Encoding: gzip…..

    007Agent, 27/06/2017

Leave a comment