mirror of https://github.com/dirtbags/moth.git
124 lines
4.1 KiB
Plaintext
124 lines
4.1 KiB
Plaintext
|
Multipurpose Internet Mail Extensions (MIME)
|
|||
|
|
============================================
|
|||
|
|
|
|||
|
|
MIME is a standard to describe the type of content. It is used
|
|||
|
|
extensively by HTTP and email clients to provide details about what sort
|
|||
|
|
of thing is being transferred (for example: a JPEG image, a Zip file, an
|
|||
|
|
HTML page).
|
|||
|
|
|
|||
|
|
MIME is also used heavily by email clients to encapsulate multiple
|
|||
|
|
objects, through the use of `multipart MIME`, more commonly referred to
|
|||
|
|
as “attachments”.
|
|||
|
|
|
|||
|
|
When examining an SMTP transaction, an analyst is frequently called upon
|
|||
|
|
to “decode” the MIME part in order to obtain the file that was
|
|||
|
|
transferred.
|
|||
|
|
|
|||
|
|
The following SMTP transaction features an attachment:
|
|||
|
|
|
|||
|
|
S: 220 mail.example.com ESMTP MushMail 1.3
|
|||
|
|
C: EHLO bub
|
|||
|
|
S: 250-Hi there
|
|||
|
|
S: 250-VRFY
|
|||
|
|
S: 250 8BITMIME
|
|||
|
|
C: MAIL FROM: alice@example.com
|
|||
|
|
S: 250 Recipient address accepted
|
|||
|
|
C: RCPT TO: bob@example.com
|
|||
|
|
S: 250 Sender accepted
|
|||
|
|
C: DATA
|
|||
|
|
S: 354 End data with \n.\n
|
|||
|
|
C: From: Alice <alice@example.com>
|
|||
|
|
C: To: Bob <bob@example.com>
|
|||
|
|
C: Subject: TPS report
|
|||
|
|
C: MIME-Version: 1.0
|
|||
|
|
C: Content-Type: multipart/mixed; boundary=arf
|
|||
|
|
C:
|
|||
|
|
C: This is a MIME message. Apparently your software is ancient
|
|||
|
|
C: and is unable to render it properly. Too bad for you.
|
|||
|
|
C:
|
|||
|
|
C: --arf
|
|||
|
|
C: Content-type: text/plain
|
|||
|
|
C: Content-disposition: inline
|
|||
|
|
C:
|
|||
|
|
C: I've attached the TPS report you asked for.
|
|||
|
|
C: --arf
|
|||
|
|
C: Content-type: image/png
|
|||
|
|
C: Content-transfer-encoding: base64
|
|||
|
|
C: Content-disposition: attachment; filename=key.png
|
|||
|
|
C:
|
|||
|
|
C: iVBORw0KGgoAAAANSUhEUgAAAHEAAAALCAIAAADHpfUgAAAACXBIWXMAAAsT
|
|||
|
|
C: AAALEwEAmpwYAAAAB3RJTUUH2gEOFzovNd+dvwAAAB10RVh0Q29tbWVudABD
|
|||
|
|
C: cmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAAz0lEQVRIx+1Wyw7EIAiUDf//
|
|||
|
|
C: y+6hCTEO4NhqN5s4h8YaGB6CKLXWcrAUn5OC5dBSiojYv5WtiFxrW9ja3WlJ
|
|||
|
|
C: kSSygjCxVibiiWwhD2pFUUdaSTY6Zs09SzY7MHdIbsX1OCLJXUIeV2tYK4zP
|
|||
|
|
C: GDvV+3gaDNxj5JGXA2/r/YGhfIStx+i927O/Quvt7D3D1ErOozy762ikeO3b
|
|||
|
|
C: 93aiGR5XZqpnExkMcBi77iuuaKrs4Olknpzi86tDV2WQGevDbojG8abeX6KF
|
|||
|
|
C: sct58583/x/gCxug/wCTSHakAAAAAElFTkSuQmCC
|
|||
|
|
C: --arf--
|
|||
|
|
C: .
|
|||
|
|
S: 250 Message accepted for delivery
|
|||
|
|
C: QUIT
|
|||
|
|
S: 221 Goodbye
|
|||
|
|
|
|||
|
|
The attachment part of this can be easily spotted: it’s the large
|
|||
|
|
Base64-encoded chunk in the bottom half. You can spot the type
|
|||
|
|
(image/png) and the filename (domo.png) in the MIME headers immediately
|
|||
|
|
preceding the block.
|
|||
|
|
|
|||
|
|
The Base64 text can be copied and pasted into a text editor for
|
|||
|
|
decoding. Save the text to any file you want: this tutorial will use
|
|||
|
|
the filename `key.png.txt`.
|
|||
|
|
|
|||
|
|
|
|||
|
|
Easily Decoding Base64
|
|||
|
|
======================
|
|||
|
|
|
|||
|
|
Most Unix systems come pre-installed with several programs that can
|
|||
|
|
decode Base64: uudecode, openssl, perl, and python are all capable of
|
|||
|
|
the task. We will demonstrate Python, since we will be using that
|
|||
|
|
language later in this tutorial, and since it is available on Windows
|
|||
|
|
also.
|
|||
|
|
|
|||
|
|
After starting Python, we are met with the Python prompt:
|
|||
|
|
|
|||
|
|
>>>
|
|||
|
|
|
|||
|
|
We now open the file and read in its contents:
|
|||
|
|
|
|||
|
|
>>> contents = open('key.png.txt').read()
|
|||
|
|
|
|||
|
|
The file’s contents are now in the `contents` variable. We can then
|
|||
|
|
Base64 decode the contents:
|
|||
|
|
|
|||
|
|
>>> import binascii
|
|||
|
|
>>> decode = binascii.a2b_base64(contents)
|
|||
|
|
|
|||
|
|
And save the decoded contents to a new file, called `key.png`:
|
|||
|
|
|
|||
|
|
>>> open('key.png', 'wb').write(decode)
|
|||
|
|
|
|||
|
|
If you are confused by the syntax, don’t worry too much about it. You
|
|||
|
|
can use these four lines as a boilerplate for base64 decoding any file.
|
|||
|
|
|
|||
|
|
|
|||
|
|
Some help from Unix
|
|||
|
|
===================
|
|||
|
|
|
|||
|
|
Unix (or Cygwin on Windows) features a command called `file` which
|
|||
|
|
encapsulates decades of knowledge about file formats. The `file`
|
|||
|
|
command can be run on arbitrary data to get an initial idea about what
|
|||
|
|
sort of file you have. In our example:
|
|||
|
|
|
|||
|
|
$ file key.png
|
|||
|
|
key.png: PNG image data, 113 x 11, 8-bit/color RGB, non-interlaced
|
|||
|
|
|
|||
|
|
This tool is invaluable when analyzing unknown data.
|
|||
|
|
|
|||
|
|
|
|||
|
|
Question
|
|||
|
|
========
|
|||
|
|
|
|||
|
|
Use the techniques in this page to decode the Base64 attachment used in
|
|||
|
|
the example. When properly decoded, you will have an image that, when
|
|||
|
|
viewed, reveals the key for this page.
|