Name: Serge Gorbunov Description: The basic idea behind the solution was to write a program to parse SMTP streams. While there are a lot of old languages that are able to do the job just fine some younger ones are making its way through. Python is a great language that was chosen for this project for a few reasons: 1) It has a few nice packages able to elegantly process networking data (I used scapy collection of classes) 2) It's Object-Oriented 3) and Scripting language at the same time 4) It's platform independent and can be easily compiled to windows executable So, I decided to write an OO tool in Python and called it "smtpParser". The tool is completely modular and flexible with a few nice options available for the users. Classes and methods are completely independent of this contest and can be easily used by other modules/programs. There are 3 main classes that were designed: - streamExtractor: This class is able to extract ANY data stream from a pcap file based on the port number. It takes an input file and a port number as parameters and returns a two-dimensional array of streams extracted for the given port. Every stream is a collection of scapy packet objects that can be used to whatever processing needed. - smptParser: This is the main class that provides methods for extracting SMTP data from the scapy packet objects. It is able to pull out general mail information, such as login ids, passwords, TO, FROM addresses, etc. It stores all this (and much more) information into a summary file for the smtp stream, as well as extract any attachments from it. It also records the checksum of every attachments in the summary file. Finally, if desired by the user, it is capable of extracting any media content from the docx files, storing it separately and also appending its checksums to the summary file. Extracting attachments and images functions are optional for the users and are supported through -a and -i options. - smpt: This is a simple class that is used to store basic smtp information in an object, including the actual attachments in binary form. It can be easily passed, processed or serialized for later use. Every class is stored in a separate source file. To add flexibility to the tool, some simple options were added: -f (--file) Mandatory option followed by the pcap input file name [Options] -h (--help) Print the help page -d (--destanation) Destination path for output streams -p (--port) SMTP destination port number (default is 587) -a (--attachments) Extract attachments from the emails -i (--images) Extract images from any docx files So, in order to find all the answers we can run the tool with the following options: "./smtpParser.py -f evidence02.pcap -d /tmp -a -i" This will dump all smtp stream found on the default destination port 587 into separate directories, extract any attachments found and store them with corresponding files names, as well as extract media content from any docx files. The program produces two stream directories: stream0 stream1 and prints the following to stdout: 2 streams extracted from the file on port 587 Storing stream #0: srcIP = 192.168.1.159; dstIP = 64.12.102.142 into /tmp/stream0 Successfully stored stream #0 Storing stream #1: srcIP = 192.168.1.159; dstIP = 64.12.102.142 into /tmp/stream1 Successfully stored stream #1 By simply going through the general mail info for the stream0, we see that it is not the mail that we are looking for. stream1 turns out to be the one. Here's the general mail information stored in tmp/stream1/streamSummary.txt file: ###___General_Mail_Info___### Source IP: 192.168.1.159 Destanation IP: 64.12.102.142 Client ID: annlaptop Source port: 1038 Destanation Post: 587 Username: sneakyg33k@aol.com Password: 558r00lz Mail From: Mail To: Attachment checksum found in the mail: secretrendezvous.docx 9e423e11db88f01bbff81172839e1923 Media checksums found in the attachment: image1.png aadeace50997b1ba24b09ac2ef1940b7 ... Followed by the actual mail data... We right away see the most valuable information about the email stream such as username, password TO/FROM emails, source port numbers, IPs, etc. Since we ran the tool with -a options it extracted any attachments from the streams. We can see that the stream had one attachment secretrendezvous.docx and its checksum, as well as get a copy of the actual attachment in the /tmp/stream1 directory. We also ran the tool with -i option, therefore asking it to extract any media content from the docx attachments. There was only one media content in the secretrendezvous.docx named: image1.png. We can also see its checksum in the summary file as well as the actual image in /tmp/stream1 directory. By scrolling down a little bit of the stream summary file we can see the actual message: Hi sweetheart! Bring your fake passport and a bathing suit. Address = attached. love, Ann Now we have all the information needed to answer our questions: 1. What is Ann’s email address? sneakyg33k@aol.com 2. What is Ann’s email password? 558r00lz 3. What is Ann’s secret lover’s email address? mistersecretx@aol.com 4. What two items did Ann tell her secret lover to bring? fake passport and a bathing suit 5. What is the NAME of the attachment Ann sent to her secret lover? secretrendezvous.docx 6. What is the MD5sum of the attachment Ann sent to her secret lover? 9e423e11db88f01bbff81172839e1923 7. In what CITY and COUNTRY is their rendez-vous point? Playa del Carmen, Mexico 8. What is the MD5sum of the image embedded in the document? aadeace50997b1ba24b09ac2ef1940b7 Please note that the tool requires scapy collection of classes to be installed on the system. Download: http://www.secdev.org/projects/scapy/ The full source code of the program will also be available on my blog on Novermber 23rd. (There are 3 source files) http://gserge.com/smtpParser/smtpParser.py http://gserge.com/smtpParser/smtp.py http://gserge.com/smtpParser/streamExtractor.py It has only been tested on Linux for now. I will probably test it on other platforms later. Enjoy...