[BlueOnyx:05082] Re: OT get username + password from pop3 connections

Chuck Tetlow chuck at tetlow.net
Wed Jul 21 01:09:55 -05 2010 

OK, yes there is a way to get that.  And maybe I shouldn't be passing along this trick.  But someone needs help.  So I pass it along and just hope no one on this list will abuse this ability.

Log into the server and change user to root.  Once root, you can run a program called "tcpdump".

This program that is built right into most flavors of Linux.  It gives you the ability to pull raw network layer 2 data right out of the interface.  And there a LOT of options to tell it what you want and how to display it.  Most of the data requires knowledge of the Ethernet layer and the TCP protocol of the network layer.  But to get this password, you can look for some key words.

First, to make it easy - get the IP address of that user who is checking his e-mail via POP.  Once you have the IP address of that user, use the command
tcpdump -An host xxx.xxx.xxx.xxx and tcp port 110

That command will dump the actual raw ASCII data (-A switch) and display in numeric without name lookups (-n switch).  You must tell it the host the connection is coming from with the keyword "host" followed by the IP address.  You are filtering further by telling it "and" to add another filter rule, and "tcp port 110" is the port the POP3 protocol operates on.

What you'll wind up with is data from the TCP port 110 connection coming from that user.  But you get everything - all the TCP handshakes as it sets up the connection, checks the mail, and clears the connection.  It could result in a lot of lines of data.  Hopefully, it will only be 20 lines per POP check (if there was no e-mai).

Look in the lines of ASCII data for the keywords "USER" and a few lines down "PASS".  This is the originating computer's e-mail client telling the dovecot POP server the user's name for login, followed by the user's password.

Here is an example from a local test I did (to be sure it still worked before I sent this out):

01:06:06.677763 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 1:13(12) ack 21 win 65320
E..4e at .t..,b....6.|...n......].P..(....USER bettyboop

01:06:06.677782 IP 216.54.43.14.pop3 > 98.23.181.194.61112: . ack 13 win 5840
E..(.. at .@.^h.6.|b....n....].....P.......
01:06:06.677829 IP 216.54.43.14.pop3 > 98.23.181.194.61112: P 21:26(5) ack 13 win 5840
E..-.. at .@.^b.6.|b....n....].....P.......+OK

01:06:06.705538 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 13:26(13) ack 26 win 65315
E..5e. at .t..)b....6.|...n......].P..#B$..PASS agu51167

As you can see, the user is identified by "USER" and the username "bettyboop".  Then the password is sent to the dovecot server with "PASS" identification and the actual password "agu51167".

So - there you go.  A method to recover a user's password IF the user still has a working e-mail client.

Good luck Kit.

Chuck

P.S. - For the jokers out there - don't bother trying those user names or IP addresses.  I've changed them just enough to prevent any exploitation.  Or as the show stated "The names have been changed to protect the innocent".

---------- Original Message -----------
From: Kit Wong <Kit at simplysites.net> 
To: "blueonyx at blueonyx.it" <blueonyx at blueonyx.it> 
Sent: Tue, 20 Jul 2010 19:40:57 +0100 
Subject: [BlueOnyx:05079]  OT get username + password from pop3 connections

> Hi all 
> 
> It may sound stupid but I have a client who has a pop3 connector that connects to my bluequartz to pick up emails. The trouble is that he doesn't know how to change the password on his system but I had to change it my end and I don't know the original one I sent him. 
> 
> The question is: is there a way to view what his server is using to try to authenticate? I know the username and am getting a lot of failures in var/log/maillog and also /var/log/messages 
> 
> It's dovecot / sendmail bluequartz if it helps. I know this 
> 
> Thanks in advance 
> 
> It's 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100721/5f02720c/attachment.html>

More information about the Blueonyx mailing list