"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "
Protocol - Simple Mail Transfer Protocol - Used for sending emails
Connection Type - TCP
Commonly Used Commands : HELO , MAIL , RCPT ,
So the challenge scenario is something like this .
Find the username and password of the SMTP authentication.
So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.
In the filter bar I will write "smtp" so that it displays the packets matching the SMTP protocol only.
In SMTP we need to authenticate before we can send any mail . After applying the filter we can see the details of the SMTP . We can find the info by looking at the output or we can also get the details by following the TCP stream at "Authentication Successful" . So I will right click on that and select "Follow TCP Stream".
We find this result
AUTH LOGIN
334 VXNlcm5hbWU6
QXVkaQ==
334 UGFzc3dvcmQ6
MTIzNGFk
The authentications is encoded in base64 . So we will decode the information QXVkaQ== and MTIzNGFk
QXVkaQ== base64 decoded is Audi
MTIzNGFk base64 decoded is 1234ad
Protocol - Simple Mail Transfer Protocol - Used for sending emails
Connection Type - TCP
Commonly Used Commands : HELO , MAIL , RCPT ,
So the challenge scenario is something like this .
Find the username and password of the SMTP authentication.
So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.
In the filter bar I will write "smtp" so that it displays the packets matching the SMTP protocol only.
In SMTP we need to authenticate before we can send any mail . After applying the filter we can see the details of the SMTP . We can find the info by looking at the output or we can also get the details by following the TCP stream at "Authentication Successful" . So I will right click on that and select "Follow TCP Stream".
We find this result
AUTH LOGIN
334 VXNlcm5hbWU6
QXVkaQ==
334 UGFzc3dvcmQ6
MTIzNGFk
The authentications is encoded in base64 . So we will decode the information QXVkaQ== and MTIzNGFk
QXVkaQ== base64 decoded is Audi
MTIzNGFk base64 decoded is 1234ad