Simple Mail Transfer Protocol (SMTP) is one of the oldest and most common methods of sending emails. If not properly secured, like Simple Mail Transfer Secure (SMTPS), traffic can be transmitted in plaintext, leaving it vulnerable to interception and exploitation. Just to quickly add: SMTP commonly uses port number 25 while SMTPS commonly uses port number 587.
This blog hopes to guide you through the process of manually analyzing SMTP traffic using Wireshark, a powerful network protocol analyzer, and discuss the importance of identifying unencrypted traffic—manually.
Why Analyze SMTP Traffic?
As discussed above, SMTP is widely used for sending emails, and although modern implementations often use encryption (SMTPS), plaintext SMTP traffic can still be found, especially in legacy systems or misconfigured servers. Analyzing SMTP traffic in plaintext can reveal sensitive information such as usernames, passwords, and email contents making it a valuable target for attackers. Don’t believe me? Let's dive into this below:
Getting Started with Wireshark
Despite PCAP analysis becoming a niche and having automation handle it, it is still important to understand Wireshark—a tool that allows you to capture and analyze network traffic. If this is something that interests you (after reading this blog): check out our Introduction to Network Analysis FREE Course (part of our Blue Team Junior Analyst training pathway) and/or BTLO - Piggy Lab.
Analyzing the Traffic:
I will be working from a PCAP file for the duration of this demo—meaning I won’t cover the capturing of the traffic portion, as that can be a separate blog within itself. I will briefly cover the process below:
Capture the Traffic (Optional)
Once you open Wireshark, you can start capturing packets on the desired network interface as seen below:
Wireshark Capture Panel
To gather SMTP traffic solely, you can apply a display filter, with the string: smtp
SMTP Traffic Filter
Lastly, feel free to stop the capture once you have sufficient data.
Note: make sure the interface you’re capturing from actually has traffic and is connected to the network where SMTP packets are flowing—or you can collect all TCP traffic and filter through it. This is totally up to you.
Filtering the Traffic
Let’s locate the SMTP packets by applying the filter: smtp
EHLO Command Packet
These are my results. I blocked the other portion of the output to focus on a specific packet: The EHLO Command.
The EHLO Command
“The EHLO (Extended Hello) is sent by an email client to the server to initiate an SMTP session and negotiate the features and extensions that will be used during the session,” according to Stalwart. You may hear this referred to as the HELO Command online. Well, EHLO is an alternative to HELO for servers that support SMTP service extensions (ESMTP). In any case, HELO or EHLO is a REQUIRED command for the SMTP client to commence a mail transfer.
Looking back at the screenshot above, the EHLO SANDERS-DESKTOP command is part of the SMTP communication process, typically seen in logs when an email client or server initiates a connection to an SMTP server. So the machine named ‘SANDERS-DESKTOP’ is introducing itself to the SMTP server on 173[.]254[.]28[.]237. But after further research, I found this:
Virus Total Results
Virus Total Results | Communication Files
Here is some more information regarding the supposed SMTP server.
IP Address Lookup Results
Looking at the output from VirusTotal, some vendors have flagged this IP as malicious, really making us reconsider its true intention. Let’s dive into the packet in the next section.
Diving into the Traffic
Locate the EHLO Command packet and follow the TCP stream to view the entire SMTP conversation. This can be done by right-clicking the packet and selecting "Follow" > "TCP Stream".
Wireshark Packet Panel | TCP Stream
Now, let’s examine the plaintext content to identify sensitive data, such as login credentials, sender and recipient email addresses, and message content:
TCP Communication between Client and Server | Plaintext
In this capture, we can see the following:
- The SMTP server greeting the client.
- The client initiates an authentication request using AUTH LOGIN.
- The exchange of base64-encoded credentials, which can easily be decoded to reveal the username and password in plaintext within Wireshark or CyberChef
- The sender's email, the recipient's email, and the email's subject and body are also visible in plaintext.
This is the importance of encrypted communications. This one example highlights the risks associated with transmitting email data over unencrypted connections. Analyzing SMTP traffic in plaintext can give analysts a vivid reason why encryption is important. Failing to secure SMTP traffic (or all traffic) can lead to data breaches, unauthorized access, and security incidents. If you would like more practice with this, visit our platform Blue Teams Labs Online to play BTLO - Vortex—a lab dealing with an employee who got their credentials stolen by clicking on malware, which logged her unencrypted traffic at work—leaving her in a vortex of stress.
Conclusion
Understanding how to manually analyze SMTP traffic using Wireshark is a crucial skill for network administrators, security professionals, and anyone interested in cybersecurity. By identifying and addressing vulnerabilities in plaintext traffic, you can protect sensitive information and prevent potential threats.