Friday, 21 November 2014

Packet Analysis 3 : SMTP Authentication

 "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "

Protocol - Simple Mail Transfer Protocol - Used for sending emails
Connection Type - TCP
Commonly Used Commands : HELO , MAIL , RCPT , 

So the challenge scenario is something like this . 

Find the username and password of the SMTP authentication.

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.

In the filter bar I will write "smtp" so that it displays the packets matching the SMTP protocol only.

In SMTP we need to authenticate before we can send any mail . After applying the filter we can see the details of the SMTP . We can find the info by looking at the output or we can also get the details by following the TCP stream at "Authentication Successful" . So I will right click on that and select "Follow TCP Stream".

We find this result 

334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6

The authentications is encoded in base64 . So we will decode the information QXVkaQ== and MTIzNGFk

QXVkaQ== base64 decoded is Audi
MTIzNGFk base64 decoded is 1234ad