mirror of
https://github.com/dirtbags/moth.git
synced 2025-01-09 05:20:54 -07:00
123 lines
4.1 KiB
Markdown
123 lines
4.1 KiB
Markdown
Multipurpose Internet Mail Extensions (MIME)
|
||
============================================
|
||
|
||
MIME is a standard to describe the type of content. It is used
|
||
extensively by HTTP and email clients to provide details about what sort
|
||
of thing is being transferred (for example: a JPEG image, a Zip file, an
|
||
HTML page).
|
||
|
||
MIME is also used heavily by email clients to encapsulate multiple
|
||
objects, through the use of `multipart MIME`, more commonly referred to
|
||
as “attachments”.
|
||
|
||
When examining an SMTP transaction, an analyst is frequently called upon
|
||
to “decode” the MIME part in order to obtain the file that was
|
||
transferred.
|
||
|
||
The following SMTP transaction features an attachment:
|
||
|
||
S: 220 mail.example.com ESMTP MushMail 1.3
|
||
C: EHLO bub
|
||
S: 250-Hi there
|
||
S: 250-VRFY
|
||
S: 250 8BITMIME
|
||
C: MAIL FROM: alice@example.com
|
||
S: 250 Recipient address accepted
|
||
C: RCPT TO: bob@example.com
|
||
S: 250 Sender accepted
|
||
C: DATA
|
||
S: 354 End data with \n.\n
|
||
C: From: Alice <alice@example.com>
|
||
C: To: Bob <bob@example.com>
|
||
C: Subject: TPS report
|
||
C: MIME-Version: 1.0
|
||
C: Content-Type: multipart/mixed; boundary=arf
|
||
C:
|
||
C: This is a MIME message. Apparently your software is ancient
|
||
C: and is unable to render it properly. Too bad for you.
|
||
C:
|
||
C: --arf
|
||
C: Content-type: text/plain
|
||
C: Content-disposition: inline
|
||
C:
|
||
C: I've attached the TPS report you asked for.
|
||
C: --arf
|
||
C: Content-type: image/png
|
||
C: Content-transfer-encoding: base64
|
||
C: Content-disposition: attachment; filename=key.png
|
||
C:
|
||
C: iVBORw0KGgoAAAANSUhEUgAAAHEAAAALCAIAAADHpfUgAAAACXBIWXMAAAsT
|
||
C: AAALEwEAmpwYAAAAB3RJTUUH2gEOFzovNd+dvwAAAB10RVh0Q29tbWVudABD
|
||
C: cmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAAz0lEQVRIx+1Wyw7EIAiUDf//
|
||
C: y+6hCTEO4NhqN5s4h8YaGB6CKLXWcrAUn5OC5dBSiojYv5WtiFxrW9ja3WlJ
|
||
C: kSSygjCxVibiiWwhD2pFUUdaSTY6Zs09SzY7MHdIbsX1OCLJXUIeV2tYK4zP
|
||
C: GDvV+3gaDNxj5JGXA2/r/YGhfIStx+i927O/Quvt7D3D1ErOozy762ikeO3b
|
||
C: 93aiGR5XZqpnExkMcBi77iuuaKrs4Olknpzi86tDV2WQGevDbojG8abeX6KF
|
||
C: sct58583/x/gCxug/wCTSHakAAAAAElFTkSuQmCC
|
||
C: --arf--
|
||
C: .
|
||
S: 250 Message accepted for delivery
|
||
C: QUIT
|
||
S: 221 Goodbye
|
||
|
||
The attachment part of this can be easily spotted: it’s the large
|
||
Base64-encoded chunk in the bottom half. You can spot the type
|
||
(image/png) and the filename (domo.png) in the MIME headers immediately
|
||
preceding the block.
|
||
|
||
The Base64 text can be copied and pasted into a text editor for
|
||
decoding. Save the text to any file you want: this tutorial will use
|
||
the filename `key.png.txt`.
|
||
|
||
|
||
Easily Decoding Base64
|
||
======================
|
||
|
||
Most Unix systems come pre-installed with several programs that can
|
||
decode Base64: uudecode, openssl, perl, and python are all capable of
|
||
the task. We will demonstrate Python, since we will be using that
|
||
language later in this tutorial, and since it is available on Windows
|
||
also.
|
||
|
||
After starting Python, we are met with the Python prompt:
|
||
|
||
>>>
|
||
|
||
We now open the file and read in its contents:
|
||
|
||
>>> contents = open('key.png.txt').read()
|
||
|
||
The file’s contents are now in the `contents` variable. We can then
|
||
Base64 decode the contents:
|
||
|
||
>>> import binascii
|
||
>>> decode = binascii.a2b_base64(contents)
|
||
|
||
And save the decoded contents to a new file, called `key.png`:
|
||
|
||
>>> open('key.png', 'wb').write(decode)
|
||
|
||
If you are confused by the syntax, don’t worry too much about it. You
|
||
can use these four lines as a boilerplate for base64 decoding any file.
|
||
|
||
|
||
Some help from Unix
|
||
===================
|
||
|
||
Unix (or Cygwin on Windows) features a command called `file` which
|
||
encapsulates decades of knowledge about file formats. The `file`
|
||
command can be run on arbitrary data to get an initial idea about what
|
||
sort of file you have. In our example:
|
||
|
||
$ file key.png
|
||
key.png: PNG image data, 113 x 11, 8-bit/color RGB, non-interlaced
|
||
|
||
This tool is invaluable when analyzing unknown data.
|
||
|
||
|
||
Question
|
||
========
|
||
|
||
Use the techniques in this page to decode the Base64 attachment used in
|
||
the example. When properly decoded, you will have an image that, when
|
||
viewed, reveals the key for this page.
|