Hi. So Im currently trying to dig into wireshark, and im now testing if its possible to get email content out of a phishing program (e.g message sent, stored passwords inside program, reciver). Ive found the stream and confirmed that It's sending the mails to an unknown gmail address. When I try to "follow tcp stream" I just get a bunch of, what seems to be, encoded characters. So no real content. Im wondering if the email is automatically encrypted and that the information is impossible to read from it. However I got a feeling it should be possible somehow, since its doing everything from my machine. Any idea and/or tips on how to proceed? Best regards, Wireshark newbie asked 19 Aug '13, 17:12 Whaleshark |
2 Answers:
Not knowing the details of what you have found out so far, I'm just guessing. If your "bot" is proabbly sending to an address using public key encryption you won't be able to decode the traffic on the wire, short of dumping the bot's memory and looking for keys. (All of the network traffic will be encrypted by the server's public key, and the subsequent session keys - so unless you have the server's private key, you can't decode traffic just from the wire). Your only other hope is if your bot hunts out and would trust a SSL proxy (if that is what it uses for it's encrypted traffic). If so you could deploy a proxy that you have the private key for, and if the bot connects through that, you could decode the traffic. There are a lot of ifs there, and probably a lot of work. answered 19 Aug '13, 21:51 martyvis |
If the tcp connection was a SMTP connection (port 25 or 465) it could have been encrypted with transport layer encryption (SSL/TLS). So, was that a SMTP connection over port 25 or 465? If port 25, did you see the string STARTTLS at the beginning of the TCP connection?
It won't be automatically encrypted, but if this is a trojan, chances are good, that they use their own encryption scheme to hide their tracks. Regards answered 20 Aug '13, 01:31 Kurt Knochner ♦ |