This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract an attachment from a sniffed SMTP session

0

While going through an Intrusion Analysis course I have encountered a demo on how to use Wireshark to extract an attachment from a sniffed SMTP session. For some reason even though I follow the process indicated in the lecture, which appears more than reasonable to me, I always end up with the creation of a corrupted attachment (PDF). Please refer to the below packet capture

https://www.dropbox.com/s/y8s0zl3fvrcoict/carve-smtp.pcap?dl=0

The process described in the lecture boils down to 5 points

1) Use Analyze > Follow TCP Stream to see the conversation

2) Save the whole conversation in raw format (the attachment is obviously inside, base64 encoded). Let’s call it carve.raw

3) Carve out everything apart from the base64 encoding

4) Remove the ^M characters in the file (result of different line endings used in Windows and Linux) and save it. It can be done quickly in vi with

:%s/^M//g

5) Use base64 to decode the encoded attachment in this way

base64 -d carve.raw > attached.pdf

(it is said that the attachment is a PDF)

Point 5 is where I immediately understand that something is wrong as the output I get is

base64: invalid input

Nevertheless, the attachment file is created and, when I try to open it, I receive the information that the file is corrupted.

Does anybody know what I am missing?

P.S: Even though I would like to keep this exercise “low-level” (as manual as possible), I have tried to extract the file with Foremost as well and it failed to identify anything.

asked 02 May '17, 10:24

squalodelfilo's gravatar image

squalodelfilo
11114
accept rate: 0%

edited 02 May '17, 12:38

One Answer:

0

The steps described are ok. However a possible bug may playing tricks on youl.

After "Follow TCP Stream" I switched the view to one flow direction => '10.10.10.10:34573 -> 10.10.10.25:25' and saved this content as ASCII to file (carve.b64).

When opening this file in an editor the content is duplicated, the first one with ^M, the second one without it. This looks like a Wireshark bug for me.

After removing everything before and after the second base64 part and saving it, I can run base64 -d without any problem.

I get a PDF file showing the dos2unix manpage.

answered 02 May '17, 12:21

Uli's gravatar image

Uli
9031515
accept rate: 29%

Thank you! I had overlooked that second part. I managed to decode it successfully.

(02 May '17, 13:53) squalodelfilo