POP: Post Office Protocol
data carving mail POP
Introduction
POP is a protocol allowing the client to retrieve mails from E-Mail Servers. This tutorial discusses the features of the plugin popDecode including its data carving capabilities.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates popDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: pop3.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing POP traffic!
popDecode
Let’s look at the plugin configuration first. It looks like the other Data Carving plugins.
popDecode
vi src/popDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define POP_SAVE 0 // save content to POP_F_PATH
#define POP_BTFLD 1 // 1: enable bit field output, 0: disable
#define POP_MXNMLN 65 // maximal name length
#define POP_MXUNM 5 // maximal number of users
#define POP_MXPNM 5 // maximal number of passwords/parameters
#define POP_MXCNM 10 // maximal number of content
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define POP_RMDIR 1 // empty POP_F_PATH before starting (require POP_SAVE=1)
#define POP_F_PATH "/tmp/POPFILES/" // Path for extracted content
#define POP_NONAME "nudel" // no name file name
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...This plugin is data carving capable, so it extracts the content of the retrieved Emails
to the path POP_F_PATH if POP_SAVE=1 is activated.
Note that POP_RMDIR=1 defines that the file directory is deleted for each new t2 execution.
So if you want to keep earlier files, switch it to 0.
POP_BTFLD controls the output of the command bitfield.
For the time being we leave everything as default. Now run t2 on the supplied pcap.
t2 -r ~/data/pop3.pcap -w ~/results/ -s
So the aggregated popStat flags the existence of POP3 in the pcap. We further
see that there is an authentication error. An array overflow and potential
content which can be extracted.
The popStat column with value 0x02ce is to be interpreted as follows: bit | popStat | Description ============================================================================= 1 | 0x0002 | POP3 port found 2 | 0x0004 | Response +OK 3 | 0x0008 | Response -ERR 6 | 0x0040 | Response not valid or data 7 | 0x0080 | Array overflow 9 | 0x0200 | Return path pending
In the flow you see the aggregated POP3 commands, users, passwords and content until the maximum defined array length is met; s. flow 11 B.
tcol ~/results/pop3_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags popStat popCBF popCC popRM popUsrNum popUsr popPwNum popPw popCNum popC
A 1 0x0400000000004000 1377201633.570191 1377201633.570191 0.000000 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26242 212.227.15.188 de "1&1 IONOS SE" 110 6 0x03 0x0002 0x0000 0 0 0
B 1 0x0400000000004001 1377201633.620883 1377201633.620883 0.000000 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.188 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26242 6 0x43 0x0002 0x0000 0 0 0
A 2 0x0400000000004000 1377201634.118955 1377201634.118955 0.000000 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26242 212.227.15.188 de "1&1 IONOS SE" 110 6 0x03 0x0002 0x0000 0 0 0
B 2 0x0400000000004001 1377201634.179802 1377201634.179802 0.000000 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.188 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26242 6 0x43 0x0002 0x0000 0 0 0
A 3 0x0400000000004000 1377201634.679980 1377201634.679980 0.000000 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26242 212.227.15.188 de "1&1 IONOS SE" 110 6 0x03 0x0002 0x0000 0 0 0
B 3 0x0400000000004001 1377201634.730947 1377201634.730947 0.000000 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.188 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26242 6 0x43 0x0002 0x0000 0 0 0
A 4 0x0400000000004000 1377201634.731376 1377201634.731376 0.000000 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26245 212.227.15.171 de "1&1 IONOS SE" 110 6 0x03 0x0002 0x0000 0 0 0
B 4 0x0400000000004001 1377201634.782081 1377201634.782081 0.000000 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.171 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26245 6 0x43 0x0002 0x0000 0 0 0
A 5 0x0400000000004000 1377201635.282020 1377201635.282020 0.000000 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26245 212.227.15.171 de "1&1 IONOS SE" 110 6 0x03 0x0002 0x0000 0 0 0
B 5 0x0400000000004001 1377201635.332082 1377201635.332082 0.000000 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.171 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26245 6 0x43 0x0002 0x0000 0 0 0
A 6 0x0400000000004000 1377201635.832038 1377201635.832038 0.000000 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26245 212.227.15.171 de "1&1 IONOS SE" 110 6 0x03 0x0002 0x0000 0 0 0
B 6 0x0400000000004001 1377201635.879756 1377201635.879756 0.000000 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.171 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26245 6 0x43 0x0002 0x0000 0 0 0
A 8 0x0400000000004000 1377201676.627010 1377201680.096849 3.469839 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26284 212.227.15.166 de "1&1 IONOS SE" 110 6 0x00 0x0002 0x0006 AUTH;CAPA 0 1 "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcg==" 0
B 8 0x0400000000004001 1377201679.672783 1377201680.147200 0.474417 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26284 6 0x00 0x024e 0x0000 1 0 0 4 "POP server ready H mimap8 0MHXFQ-1VDgSF1308-003NYq";"1 argument required";"Capability list follows";"authentication failed"
A 10 0x0400000000004000 1377201700.505011 1377201701.042241 0.537230 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26308 212.227.15.166 de "1&1 IONOS SE" 110 6 0x00 0x0002 0x0086 AUTH;CAPA;QUIT 0 1 "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw==" 0
B 10 0x0400000000004001 1377201700.559388 1377201701.091336 0.531948 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26308 6 0x00 0x024e 0x0000 1 0 0 5 "POP server ready H mimap13 0MW5rZ-1VayeZ2jFp-00XVZd";"1 argument required";"Capability list follows";"mailbox \"digitalinvestigator@networksims.com\" has 3 messages (191";"POP server signing off"
A 7 0x0400000000004000 1377201663.814560 1377201663.978066 0.163506 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26272 212.227.15.166 de "1&1 IONOS SE" 110 6 0x02 0x0002 0x0084 CAPA;QUIT 0 0 0
B 7 0x0400000000004001 1377201663.880379 1377201664.026584 0.146205 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26272 6 0x02 0x0006 0x0000 0 0 3 "POP server ready H mimap4 0MHoUr-1VDxRD3Ui5-003eq2";"Capability list follows";"POP server signing off"
A 9 0x0400000000004000 1377201698.254021 1377201698.460579 0.206558 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26304 212.227.15.166 de "1&1 IONOS SE" 110 6 0x02 0x0002 0x0084 CAPA;QUIT 0 0 0
B 9 0x0400000000004001 1377201698.302143 1377201698.507279 0.205136 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26304 6 0x02 0x0006 0x0000 0 0 3 "POP server ready H mimap9 0MK0or-1VBlin3ixZ-001RVN";"Capability list follows";"POP server signing off"
A 11 0x0400000000004000 1377201783.749577 1377201784.963062 1.213485 1 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 "Private network" 26383 212.227.15.166 de "1&1 IONOS SE" 110 6 0x00 0x0022 0x2596 AUTH;CAPA;STAT;LIST;UIDL;RETR;QUIT 0 1 "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw==" 3 "1";"2";"3"
B 11 0x0400000000004001 1377201783.798292 1377201785.011707 1.213415 1 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de "1&1 IONOS SE" 110 192.168.0.4 07 "Private network" 26383 6 0x00 0x00ce 0x0000 1;3 1 "noreply@bounce.unitedinternet.com" 0 5 "POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn";"1 argument required";"Capability list follows";"mailbox \"digitalinvestigator@networksims.com\" has 3 messages (191";"3 19191"The AUTH method being used in this pcap requires base64 decoding, so apply the base64 command.
echo "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcg==" | base64 -d
digitalinvestigator@networksims.comnapierecho "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw==" | base64 -d
digitalinvestigator@networksims.comnapier123In the packet file only the status is printed, all the rest can be seen in l7Content.
tcol ~/results/pop3_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags popStat l7Content
...
75 11 0x0400000000004001 1377201783.798292 0.000000 0.000000 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x0002
76 11 0x0400000000004000 1377201783.798402 0.048825 0.048825 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0002
77 11 0x0400000000004001 1377201783.850368 0.052076 0.052076 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x0006 +OK POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn\r\n
78 11 0x0400000000004000 1377201783.883686 0.085284 0.134109 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0002 AUTH\r\n
79 11 0x0400000000004001 1377201783.930170 0.079802 0.131878 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x0006
80 11 0x0400000000004001 1377201783.931322 0.001152 0.133030 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x000e -ERR 1 argument required\r\n
81 11 0x0400000000004000 1377201783.980510 0.096824 0.230933 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0002 CAPA\r\n
82 11 0x0400000000004001 1377201784.031062 0.099740 0.232770 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x000e +OK Capability list follows\r\nTOP\r\nUSER\r\nUIDL\r\nSTLS\r\nSASL PLAIN\r\nIMPLEMENTATION trinity\r\n.\r\n
83 11 0x0400000000004000 1377201784.075526 0.095016 0.325949 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0102 AUTH PLAIN\r\n
84 11 0x0400000000004001 1377201784.123508 0.092446 0.325216 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x004e + \r\n
85 11 0x0400000000004000 1377201784.172369 0.096843 0.422792 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0002 AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw==\r\n
86 11 0x0400000000004001 1377201784.235051 0.111543 0.436759 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x024e +OK mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap15\r\n
87 11 0x0400000000004000 1377201784.269186 0.096817 0.519609 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0002 STAT\r\n
88 11 0x0400000000004001 1377201784.317468 0.082417 0.519176 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x024e +OK 3 19191\r\n
89 11 0x0400000000004000 1377201784.365146 0.095960 0.615569 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0002 LIST\r\n
90 11 0x0400000000004001 1377201784.412429 0.094961 0.614137 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x02ce +OK\r\n1 5565\r\n2 8412\r\n3 5214\r\n.\r\n
91 11 0x0400000000004000 1377201784.462146 0.097000 0.712569 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0002 UIDL\r\n
92 11 0x0400000000004001 1377201784.508445 0.096016 0.710153 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x02ce +OK\r\n1 0M8Oog-1VyW6I2B74-00vNGA\r\n2 0LalaO-1VwtZq3DAW-00kuzg\r\n3 0MLPgA-1VC2Ru34ja-000jOl\r\n.\r\n
93 11 0x0400000000004000 1377201784.557389 0.095243 0.807812 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0022 RETR 1\r\n
94 11 0x0400000000004001 1377201784.606405 0.097960 0.808113 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x02ce +OK\r\n
95 11 0x0400000000004001 1377201784.608357 0.001952 0.810065 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x00ce Return-Path: <noreply@bounce.unitedinternet.com>\r\nDelivery-Date: Thu, 22 Aug 2013 21:14:44 +0200\r\nReceived: from mbulk.1and1.com (mbulk.1and1.com [212.227.126.222])\r\n\tby mx.kundenserver.de (node=mxeu0) with ESMTP (Nemesis)\r\n\tid 0M8Oog-1VyW6I2B74-00vNGA for digitalinvestigator@networksims.com; Thu, 22 Aug 2013 21:14:44 +0200\r\nDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=1and1.co.uk;\r\n\ts=global1; t=1377198884; i=support@1and1.co.uk; bh=wgZdEaS8CGMFeJet\r\n\t6YN26Li8CZo8Y6B9rW5ZPOvk5Ks=; h=MIME-Version:From:Subject:To:\r\n\t Content-Type:Message-Id:Date; b=jEWHqJ559xXUf/1yZeCcy/IQbHKGJbRqaX\r\n\t3jP8iB+k2130Uthz5RbaLdXxDNrLx1H8RR5NoeiG2K060HWVwHywK6CgHLe5CTDIpDo\r\n\tDhX1YNJOGUTMW/V2H03Loy09kWzYPObADON/bWHJcnucUa46N1IssACeTHIiNZpjz58\r\n\tVaA=\r\nReceived: from omsmail (streamserve3.mt.einsundeins.de [172.19.7.103])\r\n\tby mbulk.1and1.com (node=mbulk2) with ESMTP (Nemesis)\r\n\tid 0M251y-1W5Nip0Pgx-00tHOr; Thu, 22 Aug 2013 21:14:44 +0200\r\nMIME-Version: 1.0\r\nFrom: 1&1 Internet Ltd. <support@1and1.co.uk>\r\nSubject: A message from 1&1 Internet\r\nTo: digitalinvestigator@networksims.com\r\nX-Message-ID: 90256101725241684#3\r\nContent-Type: multipart/alternative; boundary="multipart_alternative.878382066"\r\nMessage-Id: <0M251y-1W5Nip0Pgx-00tHOr@mbulk.1and1.com>\r\nDate: Thu, 22 Aug 2013 21:14:44 +0200\r\nX-Provags-ID: V02:K0:p2/TRoKqwwD816cbn/YD4v8DlYZz+czD/ffRyasdUlZ\r\n 2qCehsMVLorPcSPk+AVmQ6sGC56UuMGwRiEZGsYsWg1kyWcKRn\r\n p3MADLg5bUcPjtSzcNfcyNCJys50lVE90moNktM5MhlCTs
96 11 0x0400000000004000 1377201784.608415 0.051026 0.858838 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0022
97 11 0x0400000000004001 1377201784.611546 0.003189 0.813254 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x00ce kY5D\r\n Z0e9QxdXccdasz6BRIuhVkOhc9Jpu+IwQGfragWrlDFsQjDVCv\r\n B1IqXL/112MUShMwnS1BbQLDhj2i5qNVli0nKr5jnhpmsVNOS3\r\n FOVAjswsscmojNg9/d9aM1pHVHxH2I3ALXvsxNtKU1O/pLiO7a\r\n /x2TvFTVXp78T7qag/MsTco0NM/Ec6VF7pDZIz2b9M5H7BK4g=\r\n =\r\nEnvelope-To: digitalinvestigator@networksims.com\r\n\r\n--multipart_alternative.878382066\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\nHello and welcome to your new e-mail account!\r\n\r\nThank you for using 1&1 Internet e-mail services for your e-mail account.=\r\n=20\r\nWe'd like to take this opportunity to tell you about a feature that is=20\r\nincluded in 1&1 e-mail services.=20\r\n\r\nWebMail 2.0\r\n-----------\r\nWhich e-mail client are you using? Is it as flexible and easy to use as=20\r\n1&1 WebMail?\r\n\r\nTry WebMail today. You can reach your e-mail account from any browser=20\r\nand without installing any software.=20\r\n\r\n- Access to your e-mail from any browser. Log in to your account at\r\n https://email.1and1.co.uk\r\n- WebMail is an integral part of 1&1 e-mail services. There are no=20\r\n additional fees for using WebMail and there is no software to set up.\r\n- Keep track of your appointments with your calendar, auto-responder and=20\r\n password management directly accessible for each mailbox.=20\r\n- Professional and versatile layout which we've based on MailXchange,=20\r\n a communication and collaboration solution for businesses.\r\n =20\r\nNo extra set up needed. You can start using WebMail immedia
98 11 0x0400000000004001 1377201784.611613 0.000067 0.813321 3 eth:ipv4:tcp 4c:17:eb:64:16:49 c8:f7:33:4b:82:37 0x0800 212.227.15.166 de 1&1 IONOS SE 110 192.168.0.4 07 Private network 26383 6 0x00 0x00ce tely!\r\n\r\nLog in to your account using your e-mail address and your password at:\r\nhttps://webmail.1and1.co.uk=20\r\n\r\nFor help using WebMail please visit our FAQ:\r\nhttp://faq.1and1.co.uk/search/go.php?t=3Dn49907=20\r\n\r\nEnjoy the flexibility of using 1&1 WebMail as either your primary e-mail=20\r\naccount or in addition to your local e-mail client.=20\r\n\r\nBest regards,\r\n\r\nRegistered at Cardiff, Company number 3953678 - VAT No GB 752539027\r\nAquasulis House, 10-14 Bath Road, Slough, Berkshire, SL1 3SA, United Kingdo=\r\nm\r\n\r\n--multipart_alternative.878382066\r\nContent-Type: text/html; charset=utf-8\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\n<html>\r\n<body>\r\nHello and welcome to your new e-mail account!\r\n<br/>\r\n<br/>\r\nThank you for using 1&1 Internet e-mail services for=20\r\nyour e-mail account. We'd like to take this opportunity\r\nto tell you about a feature that is included in 1&1=20\r\ne-mail services.=20\r\n<br/>\r\n<br/>\r\nWebMail 2.0\r\n<br/>-----------<br/>\r\nWhich e-mail client are you using?\r\nIs it as flexible and easy to use as 1&1 WebMail?=20\r\n<br/>\r\n<br/>\r\nTry WebMail today. You can reach your e-mail account from=20\r\nany browser and without installing any software.=20\r\n<br/>\r\n<br/>\r\n<ul>\r\n<li>Access to your e-mail from any browser. Log in to your account at\r\n<a href=3D"https://email.1and1.co.uk">https://email.1and1.co.uk</a></li>\r\n<li>WebMail is an integral part of 1&1 e-mail services. There are no=20\r\nadditional fees for using W
99 11 0x0400000000004000 1377201784.611650 0.003235 0.862073 3 eth:ipv4:tcp c8:f7:33:4b:82:37 4c:17:eb:64:16:49 0x0800 192.168.0.4 07 Private network 26383 212.227.15.166 de 1&1 IONOS SE 110 6 0x00 0x0022
...So you could read the emails in the packet file. In order to facilitate the extraction of the email content the data carving mode stores all emails into a file.
Data carving with popDecode
In order to enable the Data Carving mode POP_SAVE has to be switched on.
Use t2conf and t2build to reconfigure, recompile popDecode and rerun
t2 on the pcap.
t2conf popDecode -D POP_SAVE=1 && t2build popDecode
t2 -r ~/test_data/data/pop3.pcap -w ~/results... -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0x43 popDecode: Aggregated popStat=0x02fe popDecode: Number of POP packets: 67 [53.60%] popDecode: Number of files extracted: 1 -------------------------------------------------------------------------------- ...
The status confirms that files were successfully extracted.
tawk -V popStat=0x0x02feThe popStat column with value 0x02fe is to be interpreted as follows: bit | popStat | Description ============================================================================= 1 | 0x0002 | POP3 port found 2 | 0x0004 | Response +OK 3 | 0x0008 | Response -ERR 4 | 0x0010 | Data storage exists 5 | 0x0020 | Data storage in progress 6 | 0x0040 | Response not valid or data 7 | 0x0080 | Array overflow 9 | 0x0200 | Return path pending
Now move to POP_F_PATH and look into the file whereas its name is defined
by the flowInd and the reverse flow.
_11_B
cat /tmp/POPFILES/_11_B
Return-Path: <noreply@bounce.unitedinternet.com>
Delivery-Date: Thu, 22 Aug 2013 21:14:44 +0200
Received: from mbulk.1and1.com (mbulk.1and1.com [212.227.126.222])
by mx.kundenserver.de (node=mxeu0) with ESMTP (Nemesis)
id 0M8Oog-1VyW6I2B74-00vNGA for digitalinvestigator@networksims.com; Thu, 22 Aug 2013 21:14:44 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=1and1.co.uk;
s=global1; t=1377198884; i=support@1and1.co.uk; bh=wgZdEaS8CGMFeJet
6YN26Li8CZo8Y6B9rW5ZPOvk5Ks=; h=MIME-Version:From:Subject:To:
Content-Type:Message-Id:Date; b=jEWHqJ559xXUf/1yZeCcy/IQbHKGJbRqaX
3jP8iB+k2130Uthz5RbaLdXxDNrLx1H8RR5NoeiG2K060HWVwHywK6CgHLe5CTDIpDo
DhX1YNJOGUTMW/V2H03Loy09kWzYPObADON/bWHJcnucUa46N1IssACeTHIiNZpjz58
VaA=
Received: from omsmail (streamserve3.mt.einsundeins.de [172.19.7.103])
by mbulk.1and1.com (node=mbulk2) with ESMTP (Nemesis)
id 0M251y-1W5Nip0Pgx-00tHOr; Thu, 22 Aug 2013 21:14:44 +0200
MIME-Version: 1.0
From: 1&1 Internet Ltd. <support@1and1.co.uk>
Subject: A message from 1&1 Internet
To: digitalinvestigator@networksims.com
X-Message-ID: 90256101725241684#3
Content-Type: multipart/alternative; boundary="multipart_alternative.878382066"
Message-Id: <0M251y-1W5Nip0Pgx-00tHOr@mbulk.1and1.com>
Date: Thu, 22 Aug 2013 21:14:44 +0200
X-Provags-ID: V02:K0:p2/TRoKqwwD816cbn/YD4v8DlYZz+czD/ffRyasdUlZ
2qCehsMVLorPcSPk+AVmQ6sGC56UuMGwRiEZGsYsWg1kyWcKRn
p3MADLg5bUcPjtSzcNfcyNCJys50lVE90moNktM5MhlCTskY5D
Z0e9QxdXccdasz6BRIuhVkOhc9Jpu+IwQGfragWrlDFsQjDVCv
B1IqXL/112MUShMwnS1BbQLDhj2i5qNVli0nKr5jnhpmsVNOS3
FOVAjswsscmojNg9/d9aM1pHVHxH2I3ALXvsxNtKU1O/pLiO7a
/x2TvFTVXp78T7qag/MsTco0NM/Ec6VF7pDZIz2b9M5H7BK4g=
=
Envelope-To: digitalinvestigator@networksims.com
--multipart_alternative.878382066
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello and welcome to your new e-mail account!
...If the pcap contains user password authentication, the user name is readily available, so that each email can be stored into a separate file. Unfortunately I have no pcap of such kind available. Try your own.
Conclusion
And don’t forget to reset the plugin configuration for the next tutorial.
t2conf popDecode --reset && t2build popDecode
Have fun analyzing.