Debug HTTP is easy, you have all sort of tools to do it (like Fiddler). What about SMTP?
How to Debug SMTP Communications?
My target system is Windows.
Suggested tools:
Ethereal
tcpdump
Microsoft Network Monitor
For the two people who responded with Ethereal: We renamed the project to Wireshark (http://www.wireshark.org) back in 2006 due to trademark issues. I strongly recommend upgrading.
Depending on your exact issue, Wireshark's Follow TCP Stream feature is pretty useful for debugging Internet Message protocols, including SMTP.
How to capture emails with Wireshark:
Get wireshark -> Install
Into filter enter smtp click Apply
When you get filtered lines click right mouse button on one of them and select 'Follow TCP stream'.
You should get window like following
(OPTIONAL) If you want to inspect contents of email that are base64 encoded
Copy part that looks like gibberish into one of base64 to text converters, there are plenty online. You should get readable text that was sent.
Hope this saves you some time.
smtp-cli is good for this. From the homepage:
smtp-cli is a powerful SMTP command line client with a support
for advanced features, such as STARTTLS, SMTP-AUTH, or IPv6
In addition to being a full-featured client, its --verbose option makes it
the tool I think you're looking for to track down SMTP issues (like, for instance,
why a server is rejecting a given to: address, which is how I found the tool :-) )
Again from the homepage:
It's also a convenient tool for testing and debugging SMTP servers' setups.
Even the hardcore mail admins used to typing the SMTP protocol over telnet
need a specialised tool when it comes to verifying encryption settings of
their TLS enabled server with a subsequent user authentication. Such things
are pretty hard to type into a telnet session by hand :-)
Try Ethereal - its a free network protocol analyzer.
The SMTP protocol is all ascii, so once you see whats inside the TCP connection, you should be good to go.
It will take a bit of work learning how to use Ethereal.
You can use a SMTP development server, like Neptune or Antix. Both work the same way: they create a "fake" SMTP server in your machine so you can test your e-mail sending methods, without actually sending the messages they receive.
Use tools like ethereal (www.ethereal.com) or tcpdump (www.tcpdump.org), if you want to see the SMTP traffic.
If you like to check your server for compliance with relaying standards, do a
telnet relay-test.mail-abuse.org
from your SMTP server and it checks your server for relaying vulnerabilities.
Related
I am trying to capture an old application that didn't honour the system's proxy setting. The only config I can change is the server IP address.
Capturing the packets with Wireshark. Without the Charles reverse proxy, I can see requests after the first three handshake requests.
With the reverse proxy, the connection stuck after the handshake requests.
I notice that when Charles received a request and connecting to somewhere but it will just stuck there:
Following is the config of the reverse proxy (Remote host removed):
Any help, solution and workarounds would be appreciated!
First of all, your app uses neither HTTP nor HTTPS. Studying screen shot of successful connection gives some details on protocol used:
the first message after handhsake is originated by server contrary to common client-server approach, where client is responsible for sending query. This fact is enough to cross out HTTP and HTTPS.
payload data isn't human-readable, so it's a binary protocol.
based on PUSH flags, protocol is much more likely to be message-based rather than stream-based
So client establishes connection, immediately gets some command from server and replies it. Then communication continues. I can't guess exact protocol. Port number might be irrelevant, but even if it's not, there are only few protocols using 4321 port by default. Anyway, it can always be custom private protocol.
I'm not familiar with Charles, but forwarding arbitrary TCP stream is probably covered by its port forwarding feature rather than reverse proxy. However, I don't really see any benefits in sending traffic through Charles in this case, capturing data on your PC should be enough to study details.
If you are looking for traffic manipulation, for arbitrary TCP stream it's not an easy task, but it must be possible. I'm not aware of suitable tools, quick googling shows lots of utils, but some of them looks applicable to text based stream only, so deeper study is required.
Reason for Failure
It may be because you are requesting a local IP address from a remote scope, which Charles proxy doesn't applies. For POS(Proof Of Statement), please refer to the below link
https://www.charlesproxy.com/documentation/faqs/localhost-traffic-doesnt-appear-in-charles/
Solution
So In order to solve the problem for the current scenario, use
http://192.168.86.22.charlesproxy.com/
Note: The url that you request will only be proxied properly by Charles not any other proxy services.
I'm trying to use wireshark to decode, view, and ultimately log my own https traffic--response bodies included. According to the wireshark docs, I need provide the file location of the private RSA key used to decode messages. My question is this:
Where on osx is the private rsa key used in https interactions, is this a single key? Many?
Wireshark docs seem to be telling me to make an RSA key. Given that I'm not experienced enough with this topic, messing with system keys because I read a thing on the internet seems like a pit of despair. What should I do?
What I'm really trying to do is log unencrypted https requests/responses with bodies, while listening to web traffic. If there's a better way I'm all ears.
What I'm really trying to do is log unencrypted https requests/responses with bodies, while listening to web traffic. If there's a better way I'm all ears.
Don't mess around with Wireshark for this. The documentation you're reading is outdated; modern TLS cipher suites do not use pure RSA for key exchange. This configuration was only supported by SSL 2.0, which was superseded by SSL 3.0 in 1996, and is no longer supported by any moern browser. Long story short -- it doesn't actually work in practice.
Instead, use a HTTPS proxy server. Several common tools for this purpose are:
mitmproxy
Charles Proxy (commercial)
fiddler
Many of these tools will also allow you to alter the contents of an HTTPS session, which is certainly not something that Wireshark will do.
I'm working on a study project and need to create a software which should encrypt LAN traffic between computers with Windows. So I need to capture, encrypt and resend all outbound traffic, and capture and decrypt all inbound traffic.
Currently I see two way to do it:
1) IP over UDP. I need encrypt IP packets and send them through UDP link, receive them and decrypt.
2) Encrypt payload of IP packets and decrypt it on another side.
I actually don't know how to do it better and where to start. All suggestions/examples will be helpful.
If you really only need to encrypt the traffic you can simply install a "manually keyed" IPSec SA. See instructions at MSDN
That being said, encryption is the easy part. Authenticating the peers and key agreements is the hard part.
Cryptography is hard to get right, so you definitely want do not want to invent a probably insecure wheel, but opt for a peer-reviewed standard solution, such as the Internet Key Exchange protocol. There is an (unfortunately discontinued) internet draft of a minimal IKE implementation.
Please note that it is perfectly OK to use IKEv2 as the key agreement / authentication protocol for any application - not just for ESP. But if you need to encapsulate ALL IP, Encapsulating Security Payload in tunnel mode is your friend, and the lucky thing here is that ANY OS that is IPv6 compliant MUST implement it, so using ESP is in practice just a matter of installing the key material to your OS kernel's IP stack.
In case you need code samples, I have made a minimal proof-of-concept level implementation of an initiating end of an IKEv2 peer in Python. A Perl implementation doing the same can be found from these IETF proceedings slides
I have an app, and it makes an https connection to a server. Is it possible to use something like wireshark or charlesproxy to just see the useragent that it's connecting with? I don't want to see any of the actual data, just the useragent - but I'm not sure if that is encrypted as well? (and if it's worth trying)
Thanks
Is it possible to...
No. Browser first establishes secure connection with server, then use it for transfer all data including requests' data, various headers etc.
Too late for the original inquirer, but the answer is that it may be possible in some cases, depending on application implementation.
You can use fiddler, and by turning on the 'decrypt https traffic' you also have visibility to the HTTPS content in some cases.
What fiddler does (on windows at least) is register itself within the wininet as system proxy. It can also add certificates (requires your approval when you select to decrypt https traffic) and generates on the fly certificates for the accessed domains, thus being MitM.
Applications using this infrastructure will be 'exposed' to this MitM. I ran fiddler and ran a few applications and was able to view https traffic related to office products (winword, powerpoint, outlook) other MS executables (Searchprotocolhost.exe) but also to some non-microsoft products such as apple software update, cisco jabber)
F
Is there a way to monitor the FTP port so that I can know what commands my FTP application is sending to a FTP server?
I am using a closed-source FTP client application, which is not working with a closed-source FTP application server. The client and the server are not communicating well with each other, and I would like to find out why. I wish to reverse-engineer the client to see what commends the client are sending to the sever. I used a web test tool before that allowed me to monitor the content transferring through HTTP, but I can't seem to find such tool for FTP. I appreciate it if you can help me out, thanks.
Sounds like you need a packet sniffer - assuming your network admins/company policy allows it...I have used wireshark fairly successfully before.
The core FTP commands should be visible in the packets.
You can use the Wireshark application: http://www.wireshark.org/
It should have decent parsing capabilities for FTP as well as other protocols.
Can you configure a proxy with the client? Then you could install an ftp proxy server using the logging on that to see what's going on?
There's a proxy server for Linux here: http://frox.sourceforge.net/doc/FAQ.html
Paul.
Do you have access to ftp-server logs? Its likely those commands would be logged there.
If they aren't, your next option would be to configure the server to log them, if you have access.
If thats not an option or server does not log such things, then you have to go to either packet sniffer or a proxy, as suggested by previous posters.
On Unix, tcpdump might be your friend. Maybe you should first state which OS you're targeting, though.
If you have the ability (often requiring root access) to use a packet sniffer, tcpflow sniffing the TCP control channel will show you the commands and responses going back and forth in an easy-to-read format.
If you don't have such access, tools such as ktrace and strace will allow you to see all data read and written on the socket for this connection, though it will be a little work to extract it.
If you could tell us just what tool you were using for HTTP traffic, that would allow us to look for something similar for FTP traffic.