Writing email sniffer

浪尽此生 提交于 2019-12-05 01:57:29

问题


I am interested in writing an email sniffer that saves all emails sent via web based clients to hd, but I can't work out how to do this. How can I catch HTTPS mail before it is encrypted?

I would really appriciate some useful info. I cannot find anything information on the web. There's a program called HTTP Analyzer V5 that does the exact thing I want to make.

How should I start?

If I make a packet sniffer, it's useless because all data is encrypted.

Is there any other option?


回答1:


You can't. The data is encrypted inside of the browser program before being sent over HTTP.

Since you only seem to have access to HTTP, it's too late.

You might want to consider a keylogger to intercept the text as it enters the browser form (and the keylogger needs to be able to catch pasted text).

Of course, most decent virus checkers will detect the keylogger.

Hardware keylogger?

It might help us to help you if you cna explain more about what you want to do and where you have access.




回答2:


You can't decrypt HTTPS, however, you can use man-in-the-middle programs to catch the HTTPS connection before it's created, and change the website's certificate with your own, which you WOULD be able to decrypt. Look up ettercap, and man-in-the-middle attacks.




回答3:


If you have hardware contact in your local area it will by preaty easy, but now days you can't easy do sniffing. When hubs are replaced by switches analyzers are worthless for this. But http is over tcp (supplied with others backend protocols) so you can catch tcp frame and do some mash direct stream to your pc (or specialized device with uC because nowdays systems and programming platforms block low level operations).




回答4:


Do you have control over the machines on which you intend to do this?

I used "The Grinder" before to capture HTTP requests for performance testing purposes, and it comes with a TCP Proxy component which logs all HTTP requests routed through it.

This includes the plain text content of form fields which are POSTed, which I assume would cover web mail "Send" buttons.

This may be a bit of a convoluted solution, but you could theoretically have the TCP Proxy running as a service on the client machine and have the connection pointed at the appropriate port on localhost.

I only ever took this as far as capturing my username and password as I logged into a web mail website (it worked), but nothing springs to mind immediately that would stop this from working on entire email messages.




回答5:


You can write a browser extension that intercepts the HTTP request before the browser actually sends (and encrypts it). The exact details depend on the browser you use (e.g. Firefox, Explorer).




回答6:


Programs like HTTP Analyzer can catch the HTTPS data because they insert themselves in the HTTPS stack. As a result, they get the data after it's generated but before it's being encrypted and put in IP packets. This is highly non-trivial.

An alternative might be to "build your own browser". This is easier than you'd think. FireFox is open source, and Internet Explorer is just a small graphic shell around the MSHTML web component. If you use your browser only with e.g. Gmail, then you don't need an address bar, favorites, view source etcetera, so you can write an even smaller shell around MSHTML. Just hardcode in GMail etcetera.




回答7:


Could you make a special webpage for displaying GMail that can at the same time load your own JavaScript file, such as in a hidden frame or DIV etc?

You could then intercept your email's string contents before it leaves the HTTP port of the browser, and logs itself onto a local text file?

This is assuming GMail don't use dynamic ID tags for their email forms




回答8:


You can capture HTTPS traffic by hooking the encryption function that the email app uses. This is how the Zeus and SpyEye malware works.

There are several crypto functions that the email app might be using eg CryptEncrypt or one of the openssl encrypt functions.

On Windows, you can use use MadCodeHook, Detours or some other API hooking method to hook the desired function. When the encryption function is intercepted, you can log the plain text and then call the original function.



来源:https://stackoverflow.com/questions/3014129/writing-email-sniffer

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!