Name: Serge Gorbunov 

Description: 
The basic idea behind the solution was to write a program to parse SMTP streams. While there are a lot of old languages
that are able to do the job just fine some younger ones are making its way through.
Python is a great language that was chosen for this project for a few reasons:
	1) It has a few nice packages able to elegantly process networking data 
	(I used scapy collection of classes)
	2) It's Object-Oriented 
	3) and Scripting language at the same time
	4) It's platform independent and can be easily compiled to windows executable
	
So, I decided to write an OO tool in Python and called it "smtpParser". The tool is completely
modular and flexible with a few nice options available for the users. 
Classes and methods are completely independent of this contest and can be easily
used by other modules/programs. 

There are 3 main classes that were designed:
	- streamExtractor: This class is able to extract ANY data stream from a pcap file
	based on the port number. It takes an input file and a port number as parameters
	and returns a two-dimensional array of streams extracted for the given port. 
	Every stream is a collection of scapy packet objects that can be used to whatever
	processing needed.

	- smptParser: This is the main class that provides methods for extracting SMTP
	data from the scapy packet objects. It is able to pull out general mail information,
	such as login ids, passwords, TO, FROM addresses, etc. It stores all this (and much more)
	information into a summary file for the smtp stream, as well as extract any attachments
	from it. It also records the checksum of every attachments in the summary file.
	Finally, if desired by the user, it is capable of extracting any media content from the docx
	files, storing it separately and also appending its checksums to the summary file.
	Extracting attachments and images functions are optional for the users and are 
	supported through -a and -i options.

	- smpt: This is a simple class that is used to store basic smtp information in an object,
	including the actual attachments in binary form. 
	It can be easily passed, processed or serialized for later use.
	
	Every class is stored in a separate source file.

To add flexibility to the tool, some simple options were added:
-f (--file) Mandatory option followed by the pcap input file name
	
[Options]
-h (--help)        Print the help page
-d (--destanation) Destination path for output streams
-p (--port)        SMTP destination port number (default is 587)
-a (--attachments) Extract attachments from the emails
-i (--images)      Extract images from any docx files

So, in order to find all the answers we can run the tool with the following options:
"./smtpParser.py -f evidence02.pcap -d /tmp -a -i"
This will dump all smtp stream found on the default destination port 587 into separate
directories, extract any attachments found and store them with corresponding files names,
as well as extract media content from any docx files.

The program produces two stream directories:
stream0 stream1

and prints the following to stdout:
	2 streams extracted from the file on port 587
	Storing stream #0: srcIP = 192.168.1.159; dstIP = 64.12.102.142 into /tmp/stream0
	Successfully stored stream #0

	Storing stream #1: srcIP = 192.168.1.159; dstIP = 64.12.102.142 into /tmp/stream1
	Successfully stored stream #1

By simply going through the general mail info for the stream0, we see that it is not the mail that 
we are looking for. stream1 turns out to be the one.

Here's the general mail information stored in tmp/stream1/streamSummary.txt file:

###___General_Mail_Info___###

Source IP:      192.168.1.159
Destanation IP: 64.12.102.142
Client ID:      annlaptop

Source port:      1038
Destanation Post: 587

Username: sneakyg33k@aol.com
Password: 558r00lz

Mail From: <sneakyg33k@aol.com>
Mail To:   <mistersecretx@aol.com>

Attachment checksum found in the mail:
secretrendezvous.docx 9e423e11db88f01bbff81172839e1923
	Media checksums found in the attachment:
	image1.png aadeace50997b1ba24b09ac2ef1940b7

... Followed by the actual mail data...

We right away see the most valuable information about the email stream such as username, password
TO/FROM emails, source port numbers, IPs, etc.

Since we ran the tool with -a options it extracted any attachments from the streams. 
We can see that the stream had one attachment secretrendezvous.docx and its checksum,
as well as get a copy of the actual attachment in the /tmp/stream1 directory. 
We also ran the tool with -i option, therefore asking it to extract any media content from the
docx attachments. There was only one media content in the secretrendezvous.docx named: image1.png.
We can also see its checksum in the summary file as well as the actual image in /tmp/stream1
directory. 

By scrolling down a little bit of the stream summary file we can see the actual message:


Hi sweetheart! Bring your fake passport and a bathing suit. Address =

attached. love, Ann

Now we have all the information needed to answer our questions:

1. What is Ann’s email address?
sneakyg33k@aol.com

2. What is Ann’s email password?
558r00lz

3. What is Ann’s secret lover’s email address?
mistersecretx@aol.com

4. What two items did Ann tell her secret lover to bring?
fake passport and a bathing suit

5. What is the NAME of the attachment Ann sent to her secret lover?
secretrendezvous.docx

6. What is the MD5sum of the attachment Ann sent to her secret lover?
9e423e11db88f01bbff81172839e1923

7. In what CITY and COUNTRY is their rendez-vous point?
Playa del Carmen, Mexico

8. What is the MD5sum of the image embedded in the document?
aadeace50997b1ba24b09ac2ef1940b7

Please note that the tool requires scapy collection of classes to be installed on the system.
Download: http://www.secdev.org/projects/scapy/

The full source code of the program will also be available on my blog on Novermber 23rd. (There are 3 source files)
http://gserge.com/smtpParser/smtpParser.py
http://gserge.com/smtpParser/smtp.py
http://gserge.com/smtpParser/streamExtractor.py

It has only been tested on Linux for now. I will probably test it on other platforms later.

Enjoy...


