I am trying to implement packet sniffing for traffic from an Outlook client to an Exchange server. This communication uses MAPI over HTTPS (Outlook anywhere) as far as I can tell. I don't think I am using MAPI over RPC.
Traffic comes across as TLS which I can decode in wireshark as I have the appropriate certificate loaded. I cannot view the original content of the mail I sent during my test, it is still encoded.
How can I decode messages so I can read the original content in plain text?
I am creating temporary files for each stream that is handled and storing them unchunked and ssl-decoded. Example below. If I view said files in less they appear to be binary:
PROCESSING
DONE
X-StartTime: Fri, 16 Dec 2016 23:17:12 GMT
X-ElapsedTime: 5
^@^@^@^@^@^@^@^@^@^@^@^@^B^@^@^@^@^E^@<9B>^B^A^E<80><9F>^@^D^D^C^A^@^@^@^A^A^Ctestets)^@s^@Y^@^Q^@h^@^V^@p^@^@^A^@^Q^@^B^A^@^E^@^@^O^B^A ^C^@^@9^C^@^O^C^@^E9^^@^X^@^X^@^@:^C^@q:^B^A^@^@^U^D^A=^C^@^X^A^^@8^@^X^@X^@^A`^^@f^A^A^D^@^@>^D ^F^@^H^@^@^@^@/o=ExchangeLabs/ou~^@ Administra^@^@^@^@tive Group (FYDIBOHF23SPDLT)/cn=^@^@ ^@Recipientsi^@cfb4ddc8c1ba4733a3d23^@^@^@^@4e1321845da-shayne.civi^@S^@h^@a^@y^@X^U^@n^@e^@ ^@C^@i^@v^X^@t<98>^@r<88>^@s^X^@^@(^@^^A<80>.^@c^@^^A^Q^@^@<9D>0^@^@w^@^@^@ܧ@B^P^Z^H^@+/<82>*^K^@^@O^Gh<9D> ^D^D<82>^A^@<80>^P^A^@@<87>^K @^@w(^@^@^Zd^@g(^@)^Atx^@o^@k^@<89>^Ao^@m@^B?^B ^^A^M ^M^A^@^P^@&^?_^ON<98> h5^GZ]w<83>~^@^B^@^W^R^K5^Ko^C ^F^M/8^@=^@E^@x<88>^@<89>^Bnz^ALH^@b8^A^@u^@i ^@A^@@ ^Bm<88>^Cn^X^@s^Br^@tX^@v^@Gx^@^ApX^@(^@F^@Y^@D^@I^@B^@O^@bESC^EEHh^@2^@3X^GP<98>^@L^@T^@)(^Cc8^B=^@R^AI^Fp^X^@<99>^Et^B^@c^@f<88>^D4GU^CdX^@8^X^@1x^@a<88>^@7h^B3H^@3^@^B4^A18^@2(^@8h^@5^@a^@-X^B^E<8F> ^A^@^@^P^@^@^G<93> ^W^@^Vs l<82>/<8A>MR]Oˌ^Sx^@^@^DUB^V^@^@^L^@^@^@^@^A^C^@^@^A^@^@^@^@
I have read through all documentation https://msdn.microsoft.com/en-us/library/cc425499(v=exchg.80).aspx about these protocols I could find.
EDIT:
With the use of a program called fiddler and it's Office Inspectors, specifically MAPIInspector, I am able to view almost all the information I need.
https://github.com/OfficeDev/Office-Inspectors-for-Fiddler
I am able to view in plain text: subject, recipient list, sender information, file attachment names, file attachment contents and much more, but I still cannot find the body of the message.
I believe the message is stored in: ExecuteRequestBody->ROPBuffer->Payload->ROPList->ROPWriteStreamRequest->Data.
I believe the ROPWriteStreamRequest is what I need.
The content is encrypted and/or obfuscated. I was able to find the obfuscation algorithm for RPC which is XOR by 0xA5, but I am not sure if this is done before or after compression. I suspect the compression algorithm is LZ77.
The ExecuteRequestBody->ROPBuffer->Payload->ROPList->ROPWriteStreamRequest->Data saved the attachment content. The email content is stored in RopSetPropertiesRequest->PropertyValues->the 11th TaggedPropertyValue (whose property tag is PidTagBodyHtml). The content is html format.