.

Decrypting Network Traffic (email)

<<

i_admit_iam_a_geek

Newbie
Newbie

Posts: 5

Joined: Tue May 12, 2009 9:45 am

Post Tue May 12, 2009 9:57 am

Decrypting Network Traffic (email)

First... Hi all.

a bit of a question google cant seem to give me the answer to:

I have been very much getting into the use of network traffic capture of late, e.g. wireshark and my tool of choice DataEcho.

Mainly regarding email, all but the senders name seems to be encrypted or encoded. Is there anyway to make the data sent understandable?

Cheers if anyone can help.

:o)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 12, 2009 10:10 am

Re: Decrypting Network Traffic (email)

They are likely to be BASE64 encoded.  It's not encryption, so its easily reversible.    I believe that NetWitness Investigator's email parser will decode base64, but I am not positive.  I don't have it installed on my machine here.

I know for a fact that Cain and Abel has a nice decoder for base64, as well as a few websites out there.  I am surprised that wireshark's SMTP parser doesn't decode base64 on the fly though.
~~~~~~~~~~~~~~
Ketchup
<<

i_admit_iam_a_geek

Newbie
Newbie

Posts: 5

Joined: Tue May 12, 2009 9:45 am

Post Tue May 12, 2009 12:18 pm

Re: Decrypting Network Traffic (email)

Thanks for your response,

I will have a look into some of the programs you have name checked thanks.

The system in particular I was experimenting with was Microsoft Exchange Server based so wasn't sure if it used something a little different to normal SMTP traffic.

But now I know the base I should be well away with a bit of a play.

Thanks again
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue May 12, 2009 1:06 pm

Re: Decrypting Network Traffic (email)

You might try the Ferret tool from Errata security. I have had some hit and miss success with it.
<<

i_admit_iam_a_geek

Newbie
Newbie

Posts: 5

Joined: Tue May 12, 2009 9:45 am

Post Tue May 12, 2009 1:35 pm

Re: Decrypting Network Traffic (email)

Interesting Ill have a look,

For now I have super quick knocked up my own BASE64 encode/decode application in C#. I had a look on the web but didn't come up with any that had a user interface that made life as easy as it needed to be for my needs.

Ill have to wait until the morning to give it a spin on the work network so ill report back if it did the trick with a link to my application, simple as it is, in case it is of use to anyone.

With regards to wireshark and BASE64, google seems to indicate that it does not currently do conversion... or at least it is on the wireshark wiki wishlist.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Tue May 12, 2009 5:41 pm

Re: Decrypting Network Traffic (email)

Please let us know if it worked for you.  I'd be interested to see the UI you came up with.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

i_admit_iam_a_geek

Newbie
Newbie

Posts: 5

Joined: Tue May 12, 2009 9:45 am

Post Wed May 13, 2009 3:46 am

Re: Decrypting Network Traffic (email)

No luck at the moment, it seems the data that comes out its not base64 or at least not all of it. There is allot of squares? and question marks in the text. Ill keep at it and see what comes of it.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 13, 2009 7:13 am

Re: Decrypting Network Traffic (email)

Can you post a sample?  I've never seen just email addresses encrypted, although I haven't done much analysis on Exchange 2007 yet.  Whenever I see scrambled email addresses, bodies, etc, they have always been base64 encoded.    Does the data look anything like this and end in a '='?

?koi8-r?B?U2hlIHdvbpJ0IG5lZWQgYSBtYWduaWZ5aW5nIGdsYXNzIGZyb20gbm93?=
~~~~~~~~~~~~~~
Ketchup
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed May 13, 2009 11:13 am

Re: Decrypting Network Traffic (email)

i_admit_iam_a_geek wrote:For now I have super quick knocked up my own BASE64 encode/decode application in C#. I had a look on the web but didn't come up with any that had a user interface that made life as easy as it needed to be for my needs.


Give this a shot: SNEAK
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu May 14, 2009 7:33 am

Re: Decrypting Network Traffic (email)

If you are looking at SMTP traffic, then that would not be encrypted or encoded, so it leads me to believe you must be looking at traffic between the client and server.

I believe Outlook and Exchange 2007 use encryption by default for their communication. If you don't have the key, good luck.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 14, 2009 9:44 am

Re: Decrypting Network Traffic (email)

Yeah, MAPI can be tough to parse, although Wireshark has a built in parser for MAPI.    SMTP does encode, just think attachments.  They are MIME encoded most often.  Some servers/clients will also encode email addresses and subjects, and sometimes the entire message.  I spent a good deal of time writing various parsers for email and have seen an enormous amount of variation in interpretation of standards. 
~~~~~~~~~~~~~~
Ketchup
<<

i_admit_iam_a_geek

Newbie
Newbie

Posts: 5

Joined: Tue May 12, 2009 9:45 am

Post Fri May 15, 2009 3:52 am

Re: Decrypting Network Traffic (email)

Cheers guys!

Not had much luck with it all to be honest. It is an exchange server and to be honest its not looking good. I can say 100% that the data is not BASE64.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 15, 2009 7:06 am

Re: Decrypting Network Traffic (email)

It sounds like you could be looking at MAPI traffic.  It doesn't like RPC over HTTPS, because everything should be encrypted.  If you don't mind, post a small capture file of something non-sensitive (like SPAM).  Maybe we can help you figure it out.  Which version of Exchange is it?

 
~~~~~~~~~~~~~~
Ketchup

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software