Monday, December 21, 2009

smtpcat, Parseing emails from a pcap file

I learned of the tool from a forensic contest blog i've been following for awhile now. This tool came about when a challenge was posed to determine the contents of an email from a pcap file. I've posted the solutions to this contest in an early blog entry (still have to update the part on getting the password) but my methods were not very automated and as easy as one might want things to be. A perl script, Smtpcat, came about to resolve this issue. From the author, Amar Yousif,
"I wrote smtpcat which will loop through a pcap file and identify all of the smtp conversations in it. Smtpcat dive deep into the payload and identifies the sender, receiver, date, subject, and optionally the AuthSMTP decoded password. The tool also has the ability to dump the payload of any smtp message as an eml file that can be further opened via outlook express for example. "

This tool definitly would make my life easier when pasrsing through network captures for email messages and its contents. Im happy i did things using a more manual procedure, just goes to show that i understood what i was doing.

# perl smtpcat -r pcap_file -p // '-r' reads the pcap and '-p' tells smtpcat to decode the smtp password

[1] ->
[1] -> Sat, 10 Oct 2009 07:35:30 -0600
[1] SUBJ: lunch next week
[1] PASS:558r00lz

[2] ->
[2] -> Sat, 10 Oct 2009 07:38:10 -0600
[2] SUBJ: rendezvous
[2] PASS:558r00lz

The above shows two email conversations being sent. Smtpcat identifies the sender and recipient as well as the smtp password.

# perl smtpcat -r pcap_file -p -d 2 -w message.eml // '-d 2' dumps the content of the smtp message from index 2 (index 2 was identified with the first command output above). '-w' writes the contents of the smtp message to a file

You can then open the message.eml file in outlook express to get the email body and possible attachments.

For more commands type: # perl smtpcat -h

Resources/Good reading:

1 comment:

  1. awesome write-up, aerokid240. Just FYI, you can also read more about smtpcat on my blog at; I explained it in more details there than I did on the forensics contest website.