This project involved identifying phishing emails by analyzing packet capture (PCAP) files using Wireshark, filtering the SMTP traffic to identify malicious emails sent by a bad actor. I was able to extract email content, identify phishing attempts, and pinpoint the malicious actor's IP address. Here's a step-by-step guide on how I completed the project.
Step-by-Step Guide
First, I downloaded the pcap_files.zip file and unzipped it using the command:
unzip pcap_files.zip
After extracting the files, I opened them individually in Wireshark. Since the goal was to analyze email traffic, the primary protocol I focused on was SMTP (Simple Mail Transfer Protocol).
To identify emails sent over the network, I used the SMTP filter in Wireshark. Applying the filter helped me isolate email traffic from all the other captured packets. The filter I used was:
smtp
This filter displayed only SMTP-related traffic, including email transmissions.
As I was reviewing the packet captures, I noticed that in File C, one particular IP address consistently sent a high volume of emails to multiple other IP addresses. This unusual behavior led me to suspect that this IP address might belong to the malicious actor.
To get a clearer view of the email contents, I further refined my filter to focus on the End of Message (EOM) command used in SMTP communications. This command signifies the end of an email's body. The filter I applied was:
smtp.eom
Using this filter allowed me to fully read the emails. I found that the emails from the suspicious IP address were phishing attempts. They contained threatening messages claiming that the attacker had access to the recipient's passwords and personal data, demanding payment to prevent the leak.
Once I identified the phishing emails, I exported the captured packets as .eml files to simulate how they would appear to the victim. This step provided a better understanding of the formatting and presentation of these phishing emails. To export the emails, I went to:
File -> Export Objects -> IMF...
I then saved the specific phishing emails, which could later be opened using email clients like Outlook or Mail.
Results
Malicious Actor's IP Address: 10.6.1.104 - Identified from File C as the one sending phishing emails to multiple addresses.
Explanation: By filtering the network traffic using SMTP-related commands in Wireshark, I identified an IP address responsible for sending phishing emails. These emails demanded money and threatened to leak personal data. Exporting the emails as .eml files provided a full view of the scam from the victim’s perspective.
Conclusion This project provided hands-on experience with analyzing PCAP files and identifying malicious activities like phishing. It also helped improve my skills in using Wireshark for cybersecurity investigations, especially in analyzing email traffic and extracting useful information.