Kraken SMTP Decoder
Kraken SMTP Decoder can parses and analyzes SMTP stream.
Author
Forensic Example
- Forensic puzzle from http://forensicscontest.com/2009/10/10/puzzle-2-ann-skips-bail
- Checkout http://krakenapps.org/svn/examples/smtp-forensic-puzzle/
- Run analyzer in eclipse and you will see extracted secretrendezvous.docx attachment file.
- It's very easy to program dump analyzer and/or extractor for network forensics.
Source
public class SmtpDumpAnalyzer {
private static final String SECRET_FILE = "secretrendezvous.docx";
public static void main(String[] args) throws IOException {
new SmtpDumpAnalyzer().run();
}
public void run() throws IOException {
PcapFileRunner runner = new PcapFileRunner(new File("evidence02.pcap"));
SmtpDecoder smtp = new SmtpDecoder();
smtp.register(new SmtpProcessor() {
@Override
public void onCommand(String command, String parameter) {
System.out.println(command + " " + parameter);
}
@Override
public void onReply(int code, String message) {
System.out.println(code + " " + message);
}
@Override
public void onSend(MimeHeader header, SmtpData data) {
BodyPart docx = getSecretDocStream(data.getMimeMessage());
if (docx == null)
return;
try {
FileExtractor.extract(new File(SECRET_FILE), docx
.getInputStream());
System.out.println(SECRET_FILE + " is extracted.");
} catch (IOException e) {
} catch (MessagingException e) {
}
}
});
runner.setTcpProcessor(Protocol.SMTP, smtp);
runner.run();
}
private BodyPart getSecretDocStream(MimeMessage message) {
try {
MimeMultipart part = (MimeMultipart) message.getContent();
for (int i = 0; i < part.getCount(); i++) {
BodyPart bodyPart = part.getBodyPart(i);
String contentType = bodyPart.getContentType();
if (contentType.contains(SECRET_FILE))
return bodyPart;
}
} catch (IOException e) {
e.printStackTrace();
} catch (MessagingException e) {
e.printStackTrace();
}
return null;
}
}
Output
220 cia-mc06.mx.aol.com ESMTP mail_cia-mc06.1; Sat, 10 Oct 2009 15:35:16 -0400 EHLO annlaptop 250 cia-mc06.mx.aol.com host-69-140-19-190.static.comcast.net 250 AUTH=LOGIN PLAIN XAOL-UAS-MB 250 AUTH LOGIN PLAIN XAOL-UAS-MB 250 STARTTLS 250 CHUNKING 250 BINARYMIME 250 X-AOL-FWD-BY-REF 250 X-AOL-DIV_TAG 250 X-AOL-OUTBOX-COPY 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 c25lYWt5ZzMza0Bhb2wuY29t 334 UGFzc3dvcmQ6 NTU4cjAwbHo= 235 AUTHENTICATION SUCCESSFUL MAIL FROM: <sneakyg33k@aol.com> 250 OK RCPT TO: <sec558@gmail.com> 250 OK DATA 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF 250 OK QUIT 221 SERVICE CLOSING CHANNEL 220 cia-mc07.mx.aol.com ESMTP mail_cia-mc07.1; Sat, 10 Oct 2009 15:37:56 -0400 EHLO annlaptop 250 cia-mc07.mx.aol.com host-69-140-19-190.static.comcast.net 250 AUTH=LOGIN PLAIN XAOL-UAS-MB 250 AUTH LOGIN PLAIN XAOL-UAS-MB 250 STARTTLS 250 CHUNKING 250 BINARYMIME 250 X-AOL-FWD-BY-REF 250 X-AOL-DIV_TAG 250 X-AOL-OUTBOX-COPY 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 c25lYWt5ZzMza0Bhb2wuY29t 334 UGFzc3dvcmQ6 NTU4cjAwbHo= 235 AUTHENTICATION SUCCESSFUL MAIL FROM: <sneakyg33k@aol.com> 250 OK RCPT TO: <mistersecretx@aol.com> 250 OK DATA 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF secretrendezvous.docx is extracted. 250 OK QUIT 221 SERVICE CLOSING CHANNEL
Release History
- 1.1.0 (unstable)
