Smtpdump
Jump to navigation
Jump to search
stmpdump.rb
Description
Ce programme, écrit en ruby, a été développé par Franck GUENICHOT dans le cadre du concours 
forensicscontest.com. Il permet d'extraire des données SMTP (flux, authentification, pièce jointe, signature MD5) à partir d'un fichier de capture (format pcap).
Installation
Pré-requis
Installez les dépendances suivantes :
# apt-get install ruby1.8 rubygems1.8 libpcap-ruby1.8 libtmail-ruby1.8
Téléchargement et installation
# cd /usr/local/bin # wget http://malphx.free.fr/dotclear/public/nfpc2/smtpdump # chmod +x smtpdump
Utilisation
Utilisation générale
Appelez smtpdump sans paramètre pour obtenir de l'aide :
$ ./smtpdump smtpdump version 0.1, Copyright (C) 2009 Franck GUENICHOT smtpdump comes with ABSOLUTELY NO WARRANTY; This is free software, and you are welcome to redistribute it under certain conditions. (GPL v3) Usage: smtpdump [options] -r <pcap_file> -A, --auth Display SMTP Auth informations (only LOGIN method) -e, --info Display Email informations -b, --brief Display minimum email informations -x, --xtract Extract email attachments -m, --md5 Display extracted attachment MD5 Hash -s, --save Save raw email to file -f, --flow-index <index> Filters only given index flow -r, --read <pcap_file> Read the given pcap file [REQUIRED] -v, --version Display version information -h, --help Display this screen
Extraction des données d'authentification
Pour extraire les données d'authentification d'un fichier de capture (format pcap), appelez smtpdump comme suit :
$ ./smtpdump -A -r evidence02.pcap
=== SMTP flows ===
[1] 192.168.1.159:1036 => 64.12.102.142:587
=== Authentication infos ===
Found LOGIN method
Username: [email protected]
Password: 558r00lz
[2] 192.168.1.159:1038 => 64.12.102.142:587
=== Authentication infos ===
Found LOGIN method
Username: [email protected]
Password: 558r00lz
Afficher des informations SMTP
$ ./smtpdump -e -r evidence02.pcap
=== SMTP flows ===
[1] 192.168.1.159:1036 => 64.12.102.142:587
=== Email infos ===
Mail From Ann Dercover <[email protected]> to [email protected]
Subject: lunch next week
Content: Sorry-- I can't do lunch next week after all. Heading out of town. Another time! -Ann
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2853" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Sorry-- I can't do lunch next week after all.
Heading out of town. Another time! -Ann</FONT></DIV></BODY></HTML>
[2] 192.168.1.159:1038 => 64.12.102.142:587
=== Email infos ===
Mail From Ann Dercover <[email protected]> to [email protected]
Subject: rendezvous
Content: Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2853" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi sweetheart! Bring your fake passport and a
bathing suit. Address attached. love, Ann</FONT></DIV></BODY></HTML>
Attachment: secretrendezvous.docx
Afficher des informations de base SMTP
$ ./smtpdump -b -r evidence02.pcap === SMTP flows === [1] 192.168.1.159:1036 => 64.12.102.142:587 [2] 192.168.1.159:1038 => 64.12.102.142:587
Extraire les pièces jointes d'un mail
$ ./smtpdump -x -r evidence02.pcap
=== SMTP flows ===
[1] 192.168.1.159:1036 => 64.12.102.142:587
=== Attachments infos ===
[2] 192.168.1.159:1038 => 64.12.102.142:587
=== Attachments infos ===
Type: multipart/alternative
Type: application/octet-stream
Saving file to disk: secretrendezvous.docx
Afficher la signature MD5 d'une pièce jointe
$ ./smtpdump -r evidence02.pcap -f2 -x -m
[2] 192.168.1.159:1038 => 64.12.102.142:587
=== Attachments infos ===
Type: multipart/alternative
Type: application/octet-stream
Saving file to disk: secretrendezvous.docx
File: secretrendezvous.docx (MD5: 0x9e423e11db88f01bbff81172839e1923)