Hey chuck

Fantastic. I knew someone will know a trick on this list. Thanks everyone

Kit

Sent from my iPhone

On 21 Jul 2010, at 07:38, Chuck Tetlow 
<[email protected]<mailto:[email protected]>> wrote:

OK, yes there is a way to get that.  And maybe I shouldn't be passing along 
this trick.  But someone needs help.  So I pass it along and just hope no one 
on this list will abuse this ability.

Log into the server and change user to root.  Once root, you can run a program 
called "tcpdump".

This program that is built right into most flavors of Linux.  It gives you the 
ability to pull raw network layer 2 data right out of the interface.  And there 
a LOT of options to tell it what you want and how to display it.  Most of the 
data requires knowledge of the Ethernet layer and the TCP protocol of the 
network layer.  But to get this password, you can look for some key words.

First, to make it easy - get the IP address of that user who is checking his 
e-mail via POP.  Once you have the IP address of that user, use the command
tcpdump -An host xxx.xxx.xxx.xxx and tcp port 110

That command will dump the actual raw ASCII data (-A switch) and display in 
numeric without name lookups (-n switch).  You must tell it the host the 
connection is coming from with the keyword "host" followed by the IP address.  
You are filtering further by telling it "and" to add another filter rule, and 
"tcp port 110" is the port the POP3 protocol operates on.

What you'll wind up with is data from the TCP port 110 connection coming from 
that user.  But you get everything - all the TCP handshakes as it sets up the 
connection, checks the mail, and clears the connection.  It could result in a 
lot of lines of data.  Hopefully, it will only be 20 lines per POP check (if 
there was no e-mai).

Look in the lines of ASCII data for the keywords "USER" and a few lines down 
"PASS".  This is the originating computer's e-mail client telling the dovecot 
POP server the user's name for login, followed by the user's password.

Here is an example from a local test I did (to be sure it still worked before I 
sent this out):

01:06:06.677763 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 1:13(12) ack 21 
win 65320
[email protected]..,b....6.|...n......].P..(....USER bettyboop

01:06:06.677782 IP 216.54.43.14.pop3 > 98.23.181.194.61112: . ack 13 win 5840
E..(....@.@.^h.6.|b....n....].....P.......
01:06:06.677829 IP 216.54.43.14.pop3 > 98.23.181.194.61112: P 21:26(5) ack 13 
win 5840
e.....@.@.^b.6.|b....n....].....P.......+OK

01:06:06.705538 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 13:26(13) ack 26 
win 65315
[email protected]..)b....6.|...n......].P..#B$..PASS agu51167

As you can see, the user is identified by "USER" and the username "bettyboop".  
Then the password is sent to the dovecot server with "PASS" identification and 
the actual password "agu51167".

So - there you go.  A method to recover a user's password IF the user still has 
a working e-mail client.

Good luck Kit.



Chuck



P.S. - For the jokers out there - don't bother trying those user names or IP 
addresses.  I've changed them just enough to prevent any exploitation.  Or as 
the show stated "The names have been changed to protect the innocent".




---------- Original Message -----------
From: Kit Wong <[email protected]<mailto:[email protected]>>
To: "[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>
Sent: Tue, 20 Jul 2010 19:40:57 +0100
Subject: [BlueOnyx:05079]  OT get username + password from pop3 connections

> Hi all
>
> It may sound stupid but I have a client who has a pop3 connector that 
> connects to my bluequartz to pick up emails. The trouble is that he doesn't 
> know how to change the password on his system but I had to change it my end 
> and I don't know the original one I sent him.
>
> The question is: is there a way to view what his server is using to try to 
> authenticate? I know the username and am getting a lot of failures in 
> var/log/maillog and also /var/log/messages
>
> It's dovecot / sendmail bluequartz if it helps. I know this
>
> Thanks in advance
>
> It's
>
> _______________________________________________
> Blueonyx mailing list
> [email protected]<mailto:[email protected]>
> <http://www.blueonyx.it/mailman/listinfo/blueonyx> 
> http://www.blueonyx.it/mailman/listinfo/blueonyx
------- End of Original Message -------
_______________________________________________
Blueonyx mailing list
[email protected]<mailto:[email protected]>
http://www.blueonyx.it/mailman/listinfo/blueonyx


_______________________________________________
Blueonyx mailing list
[email protected]
http://www.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to