Hello and welcome to the Tuesday, January 21st, 2021, 2025 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, we got an interesting diary today by DDA about how to download a partial sipIP file from a website.

First of all, the questions, why would you do this?

Wouldn't you end up with a corrupt file?

Well, that's sort of where DDA's trick comes in.

Sometimes the file that you may attempt to download from a particular website is just very large.

You don't want to waste a lot of

bandwidth for just downloading basically a small part, basically one file that's part of a larger

zip file. Of course, this only works if this larger zip file includes multiple individual files.

Let's say it's some malware and the only thing you're

really interested in is because you already know the malware is like a configuration file that

comes with the malware. So the way you go about it and DDE walks you through the details is

that you basically take advantage of the HTTP range header.

If a web server and most web servers out of the box

will support the range header,

then you can tell the web server to only download part of a particular response.

So you start out by first downloading just the beginning of the

file. That will include the index that includes all the files that are part of that SIP file,

including an offset where each individual file starts. Next, you then use the range header again in order to tell the web server,

hey, only sent me the content starting at this particular offset.

And then you can also basically tell it only to the next offset,

where then the next file starts,

...