"I wrote smtpcat which will loop through a pcap file and identify all of the smtp conversations in it. Smtpcat dive deep into the payload and identifies the sender, receiver, date, subject, and optionally the AuthSMTP decoded password. The tool also has the ability to dump the payload of any smtp message as an eml file that can be further opened via outlook express for example. "
This tool definitly would make my life easier when pasrsing through network captures for email messages and its contents. Im happy i did things using a more manual procedure, just goes to show that i understood what i was doing.
usage:
# perl smtpcat -r pcap_file -p // '-r' reads the pcap and '-p' tells smtpcat to decode the smtp password
[1] 192.168.1.159:1036 -> 64.12.102.142:587
[1] sneakyg33k@aol.com -> sec558@gmail.com Sat, 10 Oct 2009 07:35:30 -0600
[1] SUBJ: lunch next week
[1] PASS:558r00lz
[2] 192.168.1.159:1038 -> 64.12.102.142:587
[2] sneakyg33k@aol.com -> mistersecretx@aol.com Sat, 10 Oct 2009 07:38:10 -0600
[2] SUBJ: rendezvous
[2] PASS:558r00lz
The above shows two email conversations being sent. Smtpcat identifies the sender and recipient as well as the smtp password.
# perl smtpcat -r pcap_file -p -d 2 -w message.eml // '-d 2' dumps the content of the smtp message from index 2 (index 2 was identified with the first command output above). '-w' writes the contents of the smtp message to a file
You can then open the message.eml file in outlook express to get the email body and possible attachments.
For more commands type: # perl smtpcat -h
Resources/Good reading:
http://forensicscontest.com/contest02/Finalists/Amar_Yousif/narrative.txt
http://www.yousicurity.com
awesome write-up, aerokid240. Just FYI, you can also read more about smtpcat on my blog at YousiCurity.com; I explained it in more details there than I did on the forensics contest website.
ReplyDelete