I am interested in writing an email sniffer that saves all emails sent via web based clients to hd, but I can't work out how to do this. How can I catch HTTPS mail before it is encrypted?
I would really appriciate some useful info. I cannot find anything information on the web. There's a program called HTTP Analyzer V5 that does the exact thing I want to make.
How should I start?
If I make a packet sniffer, it's useless because all data is encrypted.
Is there any other option?
You can't. The data is encrypted inside of the browser program before being sent over HTTP.
Since you only seem to have access to HTTP, it's too late.
You might want to consider a keylogger to intercept the text as it enters the browser form (and the keylogger needs to be able to catch pasted text).
Of course, most decent virus checkers will detect the keylogger.
Hardware keylogger?
It might help us to help you if you cna explain more about what you want to do and where you have access.
You can't decrypt HTTPS, however, you can use man-in-the-middle programs to catch the HTTPS connection before it's created, and change the website's certificate with your own, which you WOULD be able to decrypt. Look up ettercap, and man-in-the-middle attacks.
If you have hardware contact in your local area it will by preaty easy, but now days you can't easy do sniffing. When hubs are replaced by switches analyzers are worthless for this. But http is over tcp (supplied with others backend protocols) so you can catch tcp frame and do some mash direct stream to your pc (or specialized device with uC because nowdays systems and programming platforms block low level operations).
Do you have control over the machines on which you intend to do this?
I used "The Grinder" before to capture HTTP requests for performance testing purposes, and it comes with a TCP Proxy component which logs all HTTP requests routed through it.
This includes the plain text content of form fields which are POSTed, which I assume would cover web mail "Send" buttons.
This may be a bit of a convoluted solution, but you could theoretically have the TCP Proxy running as a service on the client machine and have the connection pointed at the appropriate port on localhost.
I only ever took this as far as capturing my username and password as I logged into a web mail website (it worked), but nothing springs to mind immediately that would stop this from working on entire email messages.
You can write a browser extension that intercepts the HTTP request before the browser actually sends (and encrypts it). The exact details depend on the browser you use (e.g. Firefox, Explorer).
Programs like HTTP Analyzer can catch the HTTPS data because they insert themselves in the HTTPS stack. As a result, they get the data after it's generated but before it's being encrypted and put in IP packets. This is highly non-trivial.
An alternative might be to "build your own browser". This is easier than you'd think. FireFox is open source, and Internet Explorer is just a small graphic shell around the MSHTML web component. If you use your browser only with e.g. Gmail, then you don't need an address bar, favorites, view source etcetera, so you can write an even smaller shell around MSHTML. Just hardcode in GMail etcetera.
Could you make a special webpage for displaying GMail that can at the same time load your own JavaScript file, such as in a hidden frame or DIV etc?
You could then intercept your email's string contents before it leaves the HTTP port of the browser, and logs itself onto a local text file?
This is assuming GMail don't use dynamic ID tags for their email forms
You can capture HTTPS traffic by hooking the encryption function that the email app uses. This is how the Zeus and SpyEye malware works.
There are several crypto functions that the email app might be using eg CryptEncrypt or one of the openssl encrypt functions.
On Windows, you can use use MadCodeHook, Detours or some other API hooking method to hook the desired function. When the encryption function is intercepted, you can log the plain text and then call the original function.
