Extracting Windows executables with Wireshark

This is an example of how to use Wireshark to extract a Windows executable file from an FTP transfer between two computers on the same network. In this walkthrough I’ll be using three VMs:
-A Linux VM to serve as the FTP server with a file on it. (Bottom right)
-A Windows XP VM to connect to the Linux server and download the file. (Top right)
-A kali Linux VM to listen to the network while the file transfer happens. (Left)


I’ll start by setting up Wireshark on my Kali VM to listen in promiscuous mode and click start to make Wireshark begin listening to traffic on the network.


Next step is to go over to the Windows machine and connect to the FTP server and download a file. For this demo I’ll be using netcat as the file to download. Since anonymous logins are enabled on this ftp server I will use the username anonymous and I will use a blank password when prompted for it. After connecting I’ll use the GET command to download nc.exe.


At this point I’ll stop the network capture on Wireshark and look at the TCP stream of the data transferred over port 20.


The MZ at the beginning indicates that this chunk of data is a Microsoft Windows executable. If it were a Linux executable it would say ELF. If it were an image file it may say PNG.


I’ll save the raw data as unknown.exe on the Desktop of my Kali VM.


Now to test if the file works after being extracted from the network capture I’ll move it to my Windows VM and setup a netcat listener with unknown.exe.


Now to connect using netcat on my Kali VM…




Leave a Reply

Your email address will not be published. Required fields are marked *