[BlueOnyx:05086] Re: OT get username + password frompop3 connections

Peter Maguire pm at nm.tm
Wed Jul 21 12:14:12 -05 2010 



From: Kit Wong 
Sent: Wednesday, July 21, 2010 7:58 AM
To: BlueOnyx General Mailing List 
Cc: BlueOnyx General Mailing List 
Subject: [BlueOnyx:05084] Re: OT get username + password frompop3 connections


Hey chuck


Fantastic. I knew someone will know a trick on this list. Thanks everyone


Kit

Sent from my iPhone

On 21 Jul 2010, at 07:38, Chuck Tetlow <chuck at tetlow.net> wrote:


  OK, yes there is a way to get that.  And maybe I shouldn't be passing along this trick.  But someone needs help.  So I pass it along and just hope no one on this list will abuse this ability. 

  Log into the server and change user to root.  Once root, you can run a program called "tcpdump". 

  This program that is built right into most flavors of Linux.  It gives you the ability to pull raw network layer 2 data right out of the interface.  And there a LOT of options to tell it what you want and how to display it.  Most of the data requires knowledge of the Ethernet layer and the TCP protocol of the network layer.  But to get this password, you can look for some key words. 

  First, to make it easy - get the IP address of that user who is checking his e-mail via POP.  Once you have the IP address of that user, use the command 
  tcpdump -An host xxx.xxx.xxx.xxx and tcp port 110 

  That command will dump the actual raw ASCII data (-A switch) and display in numeric without name lookups (-n switch).  You must tell it the host the connection is coming from with the keyword "host" followed by the IP address.  You are filtering further by telling it "and" to add another filter rule, and "tcp port 110" is the port the POP3 protocol operates on. 

  What you'll wind up with is data from the TCP port 110 connection coming from that user.  But you get everything - all the TCP handshakes as it sets up the connection, checks the mail, and clears the connection.  It could result in a lot of lines of data.  Hopefully, it will only be 20 lines per POP check (if there was no e-mai). 

  Look in the lines of ASCII data for the keywords "USER" and a few lines down "PASS".  This is the originating computer's e-mail client telling the dovecot POP server the user's name for login, followed by the user's password. 

  Here is an example from a local test I did (to be sure it still worked before I sent this out): 

  01:06:06.677763 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 1:13(12) ack 21 win 65320 
  E..4e at .t..,b....6.|...n......].P..(....USER bettyboop 

  01:06:06.677782 IP 216.54.43.14.pop3 > 98.23.181.194.61112: . ack 13 win 5840 
  E..(.. at .@.^h.6.|b....n....].....P....... 
  01:06:06.677829 IP 216.54.43.14.pop3 > 98.23.181.194.61112: P 21:26(5) ack 13 win 5840 
  E..-.. at .@.^b.6.|b....n....].....P.......+OK 

  01:06:06.705538 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 13:26(13) ack 26 win 65315 
  E..5e. at .t..)b....6.|...n......].P..#B$..PASS agu51167 

  As you can see, the user is identified by "USER" and the username "bettyboop".  Then the password is sent to the dovecot server with "PASS" identification and the actual password "agu51167". 

  So - there you go.  A method to recover a user's password IF the user still has a working e-mail client. 

  Good luck Kit. 



  Chuck 



  P.S. - For the jokers out there - don't bother trying those user names or IP addresses.  I've changed them just enough to prevent any exploitation.  Or as the show stated "The names have been changed to protect the innocent". 




  ---------- Original Message ----------- 
  From: Kit Wong <Kit at simplysites.net> 
  To: "blueonyx at blueonyx.it" <blueonyx at blueonyx.it> 
  Sent: Tue, 20 Jul 2010 19:40:57 +0100 
  Subject: [BlueOnyx:05079]  OT get username + password from pop3 connections 

  > Hi all 
  > 
  > It may sound stupid but I have a client who has a pop3 connector that connects to my bluequartz to pick up emails. The trouble is that he doesn't know how to change the password on his system but I had to change it my end and I don't know the original one I sent him. 
  > 
  > The question is: is there a way to view what his server is using to try to authenticate? I know the username and am getting a lot of failures in var/log/maillog and also /var/log/messages 
  > 
  > It's dovecot / sendmail bluequartz if it helps. I know this 
  > 
  > Thanks in advance 
  > 
  > It's 
  > 
  > _______________________________________________ 
  > Blueonyx mailing list 
  > Blueonyx at blueonyx.it 
  > http://www.blueonyx.it/mailman/listinfo/blueonyx 
  ------- End of Original Message ------- 

  _______________________________________________
  Blueonyx mailing list
  Blueonyx at blueonyx.it
  http://www.blueonyx.it/mailman/listinfo/blueonyx



--------------------------------------------------------------------------------


_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx




emm??? not tricks, just info out there.  I reckon we should be much more aware of these.  

dsniff   is much easier --- just throws out the info you need.


regards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100721/14dddf19/attachment.html>

More information about the Blueonyx mailing list