- Install Wireshark and start to capture network traffic
- Download a .exe file which in this example is putty.exe
- When the file is downloaded to your machine stop the capture process
- Search and identify the session related to the download activity (hint look for GET activities)
- Right click the session and select Follow Stream
- Instead of selecting the entire conversation, select only the traffic originating from the webserver in this case 46.43.34.31:80 -> 192.168.178.34:64491
7. Click Save as and save is as for example dump
8. Now open the dump file using your favorite HEX editor & remove the HTTP header which in below screenshot is the red part:
- After you have remove the HTTP Header info you file should start with MV
- Save the file as dump.exe
- See the result, you have now obtained the .exe from network traffic
RootSecurity 