Ask Your Question

How to retrieve an pdf file from a FTP connection if it's in binary instead of ASCII format?

asked 2021-04-26 09:21:59 +0000

dCharmePet gravatar image

updated 2021-04-26 09:37:00 +0000

grahamb gravatar image

Below is the Wireshark- Follow TCP stream

220 (vsFTPd 3.0.3)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
USER anonymous
331 Please specify the password.
PASS [email protected]
230 Login successful.
250 Directory successfully changed.
257 "/" is the current directory
200 Switching to Binary mode.
227 Entering Passive Mode (172,27,134,97,115,39).
RETR red_alpha.pdf
150 Opening BINARY mode data connection for red_alpha.pdf (79780 bytes).
226 Transfer complete.
edit retag flag offensive close merge delete


As it's the same challenge as posted a few days ago, what have you tried?

In particular, you should note the line in the conversation and work out what this means for FTP data transfer:

227 Entering Passive Mode (172,27,134,97,115,39)
grahamb gravatar imagegrahamb ( 2021-04-26 09:37:29 +0000 )edit

How do you expect to extract a PDF file from a TLS encrypted connection? Just extremely curious how you would do this?

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2021-04-26 09:57:54 +0000 )edit

I've looked into all lines from PASV to 'Transfer complete but unable to find any file...

Protocol   Length.     Info
FTP           86        Request: RETR award.pdf 
TCP           66            ftp(21) > 40294 [ACK] Seq=307 Ack=111 Win=65280 Len=0 ….    
FTP         140         Response: 150 Opening BINARY mode data connection for...    
TCP           66            40294 > ftp(21) [ACK] Seq=111 Ack=381 Win=64256 Len=0 ….
dCharmePet gravatar imagedCharmePet ( 2021-04-26 10:00:49 +0000 )edit

This is our homework for cybersecurity course....

dCharmePet gravatar imagedCharmePet ( 2021-04-26 10:02:29 +0000 )edit

It's not TLS encrypted.

grahamb gravatar imagegrahamb ( 2021-04-26 10:22:46 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2021-04-26 16:00:43 +0000

Chuckc gravatar image

updated 2021-04-26 16:03:56 +0000

If it's known that the file is PDF, use the file signature (magic number).
For a PDF file:

Hex: 25 50 44 46 2d

(Before attempting in Wireshark, spend sometime with a known PDF file and a hex editor to get a feel for what the file bytes will look like.)

  1. Set a Wireshark display filter of frame contains "%PDF-"
  2. Check the packet bytes. Is it a PDF header or does the string appear randomly in the capture? image description
  3. Right click the packet, then Follow -> TCP Stream image description

  4. Check that you will only be saving the download side of the conversation.

  5. Set Show data as: Raw
  6. Save the file Save as...
edit flag offensive delete link more


Grr. A different approach but still gives the game away. There is a simple method for FTP transfers that will also work if the file isn't a PDF using the PASV command to guide you.

grahamb gravatar imagegrahamb ( 2021-04-26 17:18:11 +0000 )edit
Chuckc gravatar imageChuckc ( 2021-04-26 17:53:33 +0000 )edit

@Chuckc Perfect answer to the question, but I think it is a better learning experience if (in case of homework assignments) we don't give the solution, but give direction into solving the issue themselves.

SYN-bit gravatar imageSYN-bit ( 2021-04-26 18:49:06 +0000 )edit

Perhaps there should be a File Carving page on the Wiki? Looking back through the Ask Q&A site, this question of carving a file out comes up several times without an answer.
At some point it's less about tutoring each individual and more about providing knowledge about Wireshark.
My hope is that if the people just follow this example, perhaps there will be some muscle memory retained from clicking the buttons. :-)

Chuckc gravatar imageChuckc ( 2021-04-26 18:54:03 +0000 )edit

@Chuckc It's also a learning experience to use Google to search for information on how to do a task, which as you have pointed out I had previously done.

IMHO the only folks who really need to extract objects from FTP are the malware analysts and they all know what to do (or have a colleague to ask), the rest are folks trying to complete challenges.

grahamb gravatar imagegrahamb ( 2021-04-26 20:42:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-04-26 09:21:59 +0000

Seen: 12,294 times

Last updated: Apr 26 '21