Extracting Windows executables with Wireshark

Posted on by Steven Darracott

This is an example of how to use Wireshark to extract a Windows executable file from an FTP transfer between two computers on the same network. In this walkthrough I’ll be using three VMs:
-A Linux VM to serve as the FTP server with a file on it. (Bottom right)
-A Windows XP VM to connect to the Linux server and download the file. (Top right)
-A kali Linux VM to listen to the network while the file transfer happens. (Left)

01_vms

I’ll start by setting up Wireshark on my Kali VM to listen in promiscuous mode and click start to make Wireshark begin listening to traffic on the network.

02_wrshkOptions

Next step is to go over to the Windows machine and connect to the FTP server and download a file. For this demo I’ll be using netcat as the file to download. Since anonymous logins are enabled on this ftp server I will use the username anonymous and I will use a blank password when prompted for it. After connecting I’ll use the GET command to download nc.exe.

03_dlNC

At this point I’ll stop the network capture on Wireshark and look at the TCP stream of the data transferred over port 20.

04_stopCap

The MZ at the beginning indicates that this chunk of data is a Microsoft Windows executable. If it were a Linux executable it would say ELF. If it were an image file it may say PNG.

05_ftpData

I’ll save the raw data as unknown.exe on the Desktop of my Kali VM.

06_saveData

Now to test if the file works after being extracted from the network capture I’ll move it to my Windows VM and setup a netcat listener with unknown.exe.

07_ncLstnr

Now to connect using netcat on my Kali VM…

08_profit

Profit!

-Wytshadow

Leave a Reply

Your email address will not be published. Required fields are marked *

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.