{{ SECURITY Network packet Forensic }}
Chapter 8 : Regarding port 587
SMTP by default uses TCP port 25. The protocol for mail submission is the same, but uses port 587. SMTP connections secured by SSL, known as SMTPS, default to port 465 (nonstandard, but sometimes used for legacy reasons).
From following example, the red box is indicating the 1) server connection and 2) Authentication procedure for the login. The login account and the password are encoded as base64 format. After that, you can see 3) the mail transfer procedure
Finally, there will be the disconnection procedure as following.
Here is the example commands of SMTP protocol.
Commands |
Note |
HELO SENDER HOST NAME |
Notify the sender's name to the SMTP server |
MAIL SENDER's EMAIL |
Notify the sender's email |
RCPT RECEIVER's EMAIL |
Notify the receiver's email |
DATA Message Body |
|
QUIT |
End of sending message |
RSET |
Current session has been expired, Reconnect |
VRFY RECEIVER's EMAIL |
Query the receiver's email |
NOOP |
Check the receiver's status |
From [Follow TCP Stream] menu, sometimes you can see the included content information. From file-name field, you can notice the name and the type of the attached files. To extract the attachment, try simply copy and past the contents as text file first. After decoding the file with some base64 decoder, you can get the real attachment.
Reference :
https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
'Security&Encryption > Network Packet Forensic' 카테고리의 다른 글
| UDP Port Scan (0) | 2016.03.07 |
|---|---|
| TCP Port Scan (0) | 2016.03.06 |
| Analysis HTTP Contents (0) | 2016.03.03 |
| File Magic Number (0) | 2016.03.02 |
| Telnet packet analysis (0) | 2016.03.01 |