[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-posts-get-understanding-smtp-traffic-in-plaintext-using-wireshark":3},{"title":4,"title_seo":5,"html":6,"summary":7,"summary_seo":8,"thumbnail":9,"slug":10,"schema_seo":11,"created_at":12,"created_date":13,"created_human":14,"created_preview":15,"author":16},"Understanding SMTP Traffic in Plaintext Using Wireshark","Understanding SMTP Traffic In Plaintext Using Wireshark","\u003Cp style=\"margin-left:0px;\">\u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.geeksforgeeks.org/simple-mail-transfer-protocol-smtp/\">Simple Mail Transfer Protocol (SMTP)\u003C/a> is one of the oldest and most common methods of sending emails. If not properly secured, like \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.cloudflare.com/learning/email-security/smtp-port-25-587/#:~:text=SMTPS%20is%20more%20secure%20than,Layer%20Security%20(TLS)%20protocol.)\">Simple Mail Transfer Secure (SMTPS)\u003C/a>, traffic can be transmitted in \u003Cstrong>plaintext\u003C/strong>, leaving it vulnerable to interception and exploitation. Just to quickly add: \u003Ci>SMTP commonly uses port number \u003Cstrong>25\u003C/strong> while SMTPS commonly uses port number \u003Cstrong>587\u003C/strong>.\u003C/i>\u003C/p>\u003Cp style=\"margin-left:0px;\">This blog hopes to guide you through the process of manually analyzing SMTP traffic using \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.wireshark.org/\">Wireshark\u003C/a>, a powerful network protocol analyzer, and discuss the importance of identifying unencrypted traffic—manually.\u003C/p>\u003Ch3 style=\"margin-left:0px;\">Why Analyze SMTP Traffic?\u003C/h3>\u003Cp style=\"margin-left:0px;\">As discussed above, SMTP is widely used for sending emails, and although modern implementations often use encryption (SMTPS), plaintext SMTP traffic can still be found, especially in legacy systems or misconfigured servers. Analyzing SMTP traffic in plaintext can reveal sensitive information such as usernames, passwords, and email contents making it a valuable target for attackers. Don’t believe me? Let's dive into this below:\u003C/p>\u003Ch3 style=\"margin-left:0px;\">Getting Started with Wireshark\u003C/h3>\u003Cp style=\"margin-left:0px;\">Despite PCAP analysis becoming a niche and having \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.b-yond.com/post/how-automation-turns-pcap-analysis-from-a-tedious-drain-on-resources-to-a-streamlined-operation\">automation handle it\u003C/a>, it is still important to understand Wireshark—a tool that allows you to capture and analyze network traffic. If this is something that interests you (after reading this blog): check out our \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.securityblue.team/courses/introduction-to-network-analysis\">\u003Cstrong>Introduction to Network Analysis FREE Course\u003C/strong>\u003C/a>\u003Cstrong> (part of our \u003C/strong>\u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.securityblue.team/courses/blue-team-junior-analyst-pathway-bundle\">\u003Cstrong>Blue Team Junior Analyst training pathway\u003C/strong>\u003C/a>\u003Cstrong>)\u003C/strong> and/or \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://blueteamlabs.online/home/investigation/piggy-aij2bd8h2\">\u003Cstrong>BTLO - Piggy Lab\u003C/strong>\u003C/a>.\u003C/p>\u003Ch3 style=\"margin-left:0px;\">Analyzing the Traffic:\u003C/h3>\u003Cp style=\"margin-left:0px;\">I will be working from a PCAP file for the duration of this demo—meaning I won’t cover the capturing of the traffic portion, as that can be a separate blog within itself. I will briefly cover the process below:\u003C/p>\u003Ch3 style=\"margin-left:0px;\">Capture the Traffic (Optional)\u003C/h3>\u003Cp style=\"margin-left:0px;\">Once you open Wireshark, you can start capturing packets on the desired network interface as seen below:\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/05a78ce4db327246a2e70d62f5c60896eb2e9f03131d7acf24659fba8593035e0748cc87332ecbac865fe54ef867.png\">\u003C/p>\u003Cp>\u003Ci>Wireshark Capture Panel\u003C/i>\u003C/p>\u003Cp>To gather SMTP traffic solely, you can apply a display filter, with the string: \u003Cstrong>smtp\u003C/strong>\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/993984b69c31f326b1c6d94ced4d0d09fbf38bd6a00db4aad318ff08f985d335110652a59f0a7d8ea1249194c2de.png\">\u003C/p>\u003Cp>\u003Ci>SMTP Traffic Filter\u003C/i>\u003C/p>\u003Cp style=\"margin-left:0px;\">Lastly, feel free to stop the capture once you have sufficient data.\u003C/p>\u003Cp style=\"margin-left:0px;\">\u003Cstrong>Note:\u003C/strong> make sure the interface you’re capturing from actually has traffic and is connected to the network where SMTP packets are flowing—or you can collect all TCP traffic and filter through it. This is totally up to you.\u003C/p>\u003Ch3 style=\"margin-left:0px;\">Filtering the Traffic\u003C/h3>\u003Cp style=\"margin-left:0px;\">Let’s locate the SMTP packets by applying the filter: smtp\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/fcfad1105bb5c8da52abef16fa1b2d3eaa1f105eb4741ffc7ce3e5035af89d0b39d74b7f76f74bc3071ddf5b7315.png\">\u003C/p>\u003Cp>\u003Ci>EHLO Command Packet\u003C/i>\u003C/p>\u003Cp style=\"margin-left:0px;\">These are my results. I blocked the other portion of the output to focus on a specific packet: \u003Cstrong>The EHLO Command\u003C/strong>.\u003C/p>\u003Ch3 style=\"margin-left:0px;\">The EHLO Command\u003C/h3>\u003Cp style=\"margin-left:0px;\">\u003Ci>“The \u003C/i>EHLO\u003Ci> (Extended Hello) is sent by an email client to the server to initiate an SMTP session and negotiate the features and extensions that will be used during the session,\u003C/i>” according to \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://stalw.art/docs/smtp/inbound/ehlo/\">Stalwart\u003C/a>. You may hear this referred to as the \u003Cstrong>HELO Command\u003C/strong> online. Well, EHLO is an alternative to HELO for servers that support \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.geeksforgeeks.org/what-is-esmtp-extended-simple-mail-transfer-protocol/\">SMTP service extensions (ESMTP)\u003C/a>. In any case, HELO or EHLO is a REQUIRED command for the SMTP client to commence a mail transfer.\u003C/p>\u003Cp style=\"margin-left:0px;\">Looking back at the screenshot above, the \u003Ci>EHLO SANDERS-DESKTOP\u003C/i> command is part of the SMTP communication process, typically seen in logs when an email client or server initiates a connection to an SMTP server. So the machine named ‘\u003Cstrong>SANDERS-DESKTOP\u003C/strong>’ is introducing itself to the SMTP server on 173[.]254[.]28[.]237. But after further research, I found this:\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/429ef1110f5f0e2c010a85905dde795abd8da49aa5e3cfbd1fd3c44899111cf41c7cd51a7630eae9a31b443498e3.png\">\u003C/p>\u003Cp>\u003Ci>Virus Total Results\u003C/i>\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/7eb87d1d08bc46703478f5f77412674cd841d21272f7e94df3df6592978f57567581066094ae02c598c01b67d904.png\">\u003C/p>\u003Cp>\u003Ci>Virus Total Results | Communication Files\u003C/i>\u003C/p>\u003Cp>Here is some more information regarding the supposed SMTP server.\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/7061d72a732c8b6bc295b05aa446b11187c891f8b3f5563ff005c99243fc973cfcafa6950abe86cae1313481eea5.png\">\u003C/p>\u003Cp>\u003Ci>IP Address Lookup Results\u003C/i>\u003C/p>\u003Cp style=\"margin-left:0px;\">Looking at the output from \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://www.virustotal.com/gui/ip-address/173.254.28.237/detection\">VirusTotal\u003C/a>, some vendors have flagged this IP as malicious, really making us reconsider its true intention. Let’s dive into the packet in the next section.\u003C/p>\u003Ch3 style=\"margin-left:0px;\">Diving into the Traffic\u003C/h3>\u003Cp style=\"margin-left:0px;\">Locate the EHLO Command packet and follow the TCP stream to view the entire SMTP conversation. This can be done by right-clicking the packet and selecting \u003Cstrong>\"Follow\"\u003C/strong> > \u003Cstrong>\"TCP Stream\"\u003C/strong>.\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/0bc0b5bc6bd47fb1ca9c40f0f7c29b1a98f21e4f054b665caea6f6817b3b933363d40db01e0a32bd019f1bb7f160.png\">\u003C/p>\u003Cp>\u003Ci>Wireshark Packet Panel | TCP Stream\u003C/i>\u003C/p>\u003Cp>Now, let’s examine the plaintext content to identify sensitive data, such as login credentials, sender and recipient email addresses, and message content:\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/c8b943eccd72fe0b8208bcf5193650ec10f044d774a99a7f43c93f3061169ac38c24696a87b3a635fb135a0fab00.png\">\u003C/p>\u003Cp>\u003Ci>TCP Communication between Client and Server | Plaintext\u003C/i>\u003C/p>\u003Cp style=\"margin-left:0px;\">In this capture, we can see the following:\u003C/p>\u003Cul>\u003Cli>The SMTP server greeting the client.\u003C/li>\u003Cli>The client initiates an authentication request using AUTH LOGIN.\u003C/li>\u003Cli>The exchange of base64-encoded credentials, which can easily be decoded to reveal the username and password in plaintext within Wireshark or \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://cyberchef.io/\">CyberChef\u003C/a>\u003C/li>\u003Cli>The sender's email, the recipient's email, and the email's subject and body are also visible in plaintext.\u003C/li>\u003C/ul>\u003Cp style=\"margin-left:0px;\">This is the importance of encrypted communications. This one example highlights the risks associated with transmitting email data over unencrypted connections. Analyzing SMTP traffic in plaintext can give analysts a vivid reason why encryption is important. Failing to secure SMTP traffic (or all traffic) can lead to data breaches, unauthorized access, and security incidents. If you would like more practice with this, visit our platform \u003Ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://blueteamlabs.online/home\">Blue Teams Labs Online\u003C/a> to play \u003Cstrong>BTLO - Vortex\u003C/strong>—a lab dealing with an employee who got their credentials stolen by clicking on malware, which logged her unencrypted traffic at work—leaving her in a \u003Ci>vortex\u003C/i> of stress.\u003C/p>\u003Cp>\u003Cimg src=\"https://d2y9h8w1ydnujs.cloudfront.net/uploads/content/files/d0fc58999631e048a21fc4dafbbb588e9c57b7639cebb941c834bc44c7adb6bf97dcc9f0183207e306e1a800c0c5.png\">\u003C/p>\u003Cp>\u003Ca href=\"blueteamlabs.online\">\u003Ci>BTLO - Vortex | Easy SOC Lab\u003C/i>\u003C/a>\u003C/p>\u003Ch3 style=\"margin-left:0px;\">Conclusion\u003C/h3>\u003Cp style=\"margin-left:0px;\">Understanding how to manually analyze SMTP traffic using Wireshark is a crucial skill for network administrators, security professionals, and anyone interested in cybersecurity. By identifying and addressing vulnerabilities in plaintext traffic, you can protect sensitive information and prevent potential threats.\u003C/p>","In 2024, today’s digital age, the security of email communications is more critical than ever.","Explore the process of manually analyzing SMTP traffic using Wireshark, and understand the importance of identifying unencrypted traffic—manually.","https://d2y9h8w1ydnujs.cloudfront.net/uploads/thumbnails/88a92f628895881f97eb9cb6e0adb149fc493adb.png","understanding-smtp-traffic-in-plaintext-using-wireshark","","2024-08-23T14:03:00.000000Z","23/08/2024","1 year ago","23 Aug 2024",{"name":17,"description":18,"avatar":19},"Malik Girondin","Malik has experience with both technical and educational roles within cybersecurity, and is here to share his knowledge on both! Areas he writes on are careers advice and mentorship.","https://d2y9h8w1ydnujs.cloudfront.net/uploads/authors/55f9980f8eb5de294a083e6005f0870fe2355bb4.png"]