As an introduction to using Wireshark. I performed an exercise to analyze specific traffic. In this case it was SMTP (email) traffic. I captured both unencrypted and encrypted emails. Here is the data:
Identities used:
mark@cyberschlub.com one extra just for fun
All certificates from Comodo 2048 bit
Mail Clients:
Thunderbird 52.3.0
Mac Mail 10.3
NOTE: It actually took more time for me to configure an insecure email system than it did to create, install, and use the certificates. Most email services I used have TLS turned on by default, and in most cases I was unable to disable it. The TLS protected SMTP traffic was unreadable by Wireshark. Luckily Dreamhost still allows administrators to disable all security – this made the exercise more fun.
Sending unencrypted email:
Turned off TLS/SSL, using insecure POP3 username/password only.
Email content is in the clear:
Added digital signature and encryption:
The message is encrypted! The S/MIME encryption encrypts the payload of the email with a symmetric key, which is then encrypted with the asymmetric public key of the recipient (so that only the recipient’s private key can decrypt the message).
Algorithm
Key encryption (asymmetric) is RSA, the message encryption (symmetric) is DES3-CBC
Breaking the encryption with brute force?
Decrypting the message with brute force does not seem like feasible approach considering the strength of the encryption. A better approach would be to attack a host system that contains the private key. In our Kali Linux tool box, good tools could be John the Ripper / Johnny after getting access to the host system.