This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi.

So Im currently trying to dig into wireshark, and im now testing if its possible to get email content out of a phishing program (e.g message sent, stored passwords inside program, reciver). Ive found the stream and confirmed that It's sending the mails to an unknown gmail address. When I try to "follow tcp stream" I just get a bunch of, what seems to be, encoded characters. So no real content. Im wondering if the email is automatically encrypted and that the information is impossible to read from it.

However I got a feeling it should be possible somehow, since its doing everything from my machine.

Any idea and/or tips on how to proceed?

Best regards,

Wireshark newbie

asked 19 Aug '13, 17:12

Whaleshark's gravatar image

Whaleshark
11112
accept rate: 0%


Not knowing the details of what you have found out so far, I'm just guessing. If your "bot" is proabbly sending to an address using public key encryption you won't be able to decode the traffic on the wire, short of dumping the bot's memory and looking for keys. (All of the network traffic will be encrypted by the server's public key, and the subsequent session keys - so unless you have the server's private key, you can't decode traffic just from the wire).

Your only other hope is if your bot hunts out and would trust a SSL proxy (if that is what it uses for it's encrypted traffic). If so you could deploy a proxy that you have the private key for, and if the bot connects through that, you could decode the traffic.

There are a lot of ifs there, and probably a lot of work.

permanent link

answered 19 Aug '13, 21:51

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

When I try to "follow tcp stream" I just get a bunch of, what seems to be, encoded characters. So no real content.

If the tcp connection was a SMTP connection (port 25 or 465) it could have been encrypted with transport layer encryption (SSL/TLS).

So, was that a SMTP connection over port 25 or 465? If port 25, did you see the string STARTTLS at the beginning of the TCP connection?

Im wondering if the email is automatically encrypted and that the information is impossible to read from it.

It won't be automatically encrypted, but if this is a trojan, chances are good, that they use their own encryption scheme to hide their tracks.

Regards
Kurt

permanent link

answered 20 Aug '13, 01:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×752
×25
×20
×1

question asked: 19 Aug '13, 17:12

question was seen: 2,441 times

last updated: 20 Aug '13, 01:31

p​o​w​e​r​e​d by O​S​Q​A