How to extract files from network traffic using Wireshark

  1. Install Wireshark and start to capture network traffic
  2. Download a .exe file which in this example is putty.exe
  3. When the file is downloaded to your machine stop the capture process
  4. Search and identify the session related to the download activity (hint look for GET activities)

wireshark-1

 

 

 

 

 

  1. Right click the session and select Follow Stream
  2. Instead of selecting the entire conversation, select only the traffic originating from the webserver in this case 46.43.34.31:80 -> 192.168.178.34:64491

wireshark-2

7. Click Save as and save is as for example dump

8. Now open the dump file using your favorite HEX editor & remove the HTTP header which in below screenshot is the red part:

 wireshark-3

  1. After you have remove the HTTP Header info you file should start with MV

 wireshark-4

  1. Save the file as dump.exe

wireshark-5

  1. See the result, you have now obtained the .exe from network traffic

 wireshark-6

Geplaatst op februari 6, 2015, in Wireshark. Markeer de permalink als favoriet. Een reactie plaatsen.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s

%d bloggers liken dit: