Threat Research

Wireshark Tutorial: Exporting Objects From a Pcap

Unit42

This tutorial shows how to use Wireshark to extract files and web content from pcaps—covering HTTP, SMB, SMTP (IMF), FTP-DATA and manual TCP stream exports—and how to verify extracted artifacts. Examples include retrieving a Word document and Windows executables (including a Trickbot SMB transfer) and computing SHA256 hashes for analysis. #Trickbot #smart-fax

Keypoints

  • Use File → Export Objects → HTTP/SMB/IMF/FTP-DATA in Wireshark to extract objects observed in a pcap.
  • Filter traffic first (e.g., http.request, smtp.data.fragment, ftp.request.command, ftp-data with tcp.seq eq 1) to locate relevant transfers before exporting.
  • For HTTP exports, inspect Content-Type and save GET responses (example: smart-fax[.]com returning .doc and .exe files).
  • SMB object exports require a Content Type of [100.0%] to ensure a complete, non-corrupt file; check SMB export list for executable filenames and packet numbers.
  • Export IMF to retrieve unencrypted SMTP messages as .eml files for analysis; exported HTML/pages from phishing sites can be viewed in an isolated environment.
  • FTP .exe files may not appear in FTP-DATA exports; locate ftp-data streams (ftp-data.command contains “.exe” and tcp.seq eq 1), Follow TCP Stream → Show data as Raw → Save as to reconstruct binaries.
  • Verify extracted files with file and shasum -a 256 (or equivalent) and check hashes against sources like VirusTotal.

MITRE Techniques

  • [T1071.001] Web Protocols – Used to transfer files and web pages over HTTP. Quote: [‘filter on http.request’]
  • [T1071.003] Mail Protocols – Unencrypted SMTP used to send and retrieve messages that were exported as IMF/.eml. Quote: [‘filter on smtp.data.fragment’]
  • [T1210] Exploitation of Remote Services – Article references an exploit based on EternalBlue used to spread over SMB. Quote: [‘uses an exploit based on EternalBlue to spread across a network over SMB’]
  • [T1021.002] SMB/Windows Admin Shares – SMB was used to transfer Trickbot executables between hosts in the domain. Quote: [‘malware is sent over SMB traffic from an infected client to the domain controller’]
  • [T1105] Ingress Tool Transfer – Binaries and payloads were retrieved via HTTP and FTP (RETR commands). Quote: [‘GET /knr.exe’, ‘RETR q.exe’]
  • [T1041] Exfiltration Over C2 Channel (Network) – Stolen information sent back to an FTP server as HTML logs (STOR statements). Quote: [‘STOR statements representing store requests to send HTML-based log files back to the same FTP server’]
  • [T1566] Phishing – A fake PayPal login page was captured and exported for analysis. Quote: [‘fake PayPal login page’]

Indicators of Compromise

  • [Domain/URL] Hosting artifacts – smart-fax[.]com (hxxp://smart-fax[.]com/Documents/Invoice&MSO-Request.doc, hxxp://smart-fax[.]com/knr.exe)
  • [SHA256 hashes] Malware binaries – ca34b0926cdc3242bbfad1c4a0b42cc2750d90db9a272d92cfb6cb7034d2a3bd, 08eb941447078ef2c6ad8d91bb2f52256c09657ecd3d5344023edccf7291e9fc, and 7 other hashes
  • [IP addresses] Internal hosts in SMB example – 10.6.26.6 (domain controller), 10.6.26.110 (infected client)
  • [Filenames] Retrieved payloads and artifacts – knr.exe, q.exe, and other filenames like w.exe, e.exe
  • [Hostnames/Domains] Affected domain – cliffstone[.]net (domain in the Trickbot SMB scenario)

To extract objects from a pcap with Wireshark: open the pcap and apply targeted display filters (examples: http.request for HTTP GETs; smtp.data.fragment for unencrypted SMTP; ftp.request.command or (ftp-data and tcp.seq eq 1) for FTP traffic). For HTTP and web content use File → Export Objects → HTTP… to save returned files (HTML, images, .doc, .exe). For unencrypted SMTP messages use File → Export Objects → IMF… to save .eml files. Verify suspicious HTTP results by checking the Content-Type column, then confirm saved files with the file utility and compute SHA256 with shasum -a 256 (or equivalent) and check detections on VirusTotal.

To export SMB-shared files, open File → Export Objects → SMB… and ensure the Content Type shows [100.0%] to obtain complete files; the SMB object list includes packet numbers, hostnames and filenames for each exportable object. For FTP: use File → Export Objects → FTP-DATA… (Wireshark ≥4.0.0) to retrieve text/html log files, but FTP-retrieved binaries (.exe) may not appear there—locate the tcp frames that start the FTP data stream with a filter like ftp-data.command contains “.exe” and tcp.seq eq 1, right-click → Follow → TCP Stream, set “Show data as” to Raw, then Save as [filename].

Always perform extraction and analysis in an isolated, non-Windows environment when possible (Linux/macOS/BSD recommended). After exporting, confirm file type (file [filename]) and compute SHA256 (shasum -a 256 [filename]), record hashes and cross-check on services like VirusTotal. Use these procedures to safely reconstruct and validate artifacts from HTTP, SMB, SMTP and FTP traffic during investigations.

Read more: https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/