Just incase someone runs into the error below just do adduser pcap Fantastic stuff. Thank you all
Sent from my iPhone On 21 Jul 2010, at 08:19, Kit Wong <[email protected]> wrote: > Hi Chuck > > This is what I get when I use the tcpdump command logged in as root > > tcpdump -An host 80.229.58.39 and tcp port 110 > tcpdump: WARNING: arptype 65535 not supported by libpcap - falling back to > cooked socket > Couldn't find user 'pcap' > > what does that mean? > > Thanks in advance > > Kit > ________________________________________ > From: [email protected] [[email protected]] On Behalf > Of Chuck Tetlow [[email protected]] > Sent: 21 July 2010 07:09 > To: BlueOnyx General Mailing List > Subject: [BlueOnyx:05082] Re: OT get username + password from pop3 > connections > > OK, yes there is a way to get that. And maybe I shouldn't be passing along > this trick. But someone needs help. So I pass it along and just hope no one > on this list will abuse this ability. > > Log into the server and change user to root. Once root, you can run a > program called "tcpdump". > > This program that is built right into most flavors of Linux. It gives you > the ability to pull raw network layer 2 data right out of the interface. And > there a LOT of options to tell it what you want and how to display it. Most > of the data requires knowledge of the Ethernet layer and the TCP protocol of > the network layer. But to get this password, you can look for some key words. > > First, to make it easy - get the IP address of that user who is checking his > e-mail via POP. Once you have the IP address of that user, use the command > tcpdump -An host xxx.xxx.xxx.xxx and tcp port 110 > > That command will dump the actual raw ASCII data (-A switch) and display in > numeric without name lookups (-n switch). You must tell it the host the > connection is coming from with the keyword "host" followed by the IP address. > You are filtering further by telling it "and" to add another filter rule, > and "tcp port 110" is the port the POP3 protocol operates on. > > What you'll wind up with is data from the TCP port 110 connection coming from > that user. But you get everything - all the TCP handshakes as it sets up the > connection, checks the mail, and clears the connection. It could result in a > lot of lines of data. Hopefully, it will only be 20 lines per POP check (if > there was no e-mai). > > Look in the lines of ASCII data for the keywords "USER" and a few lines down > "PASS". This is the originating computer's e-mail client telling the dovecot > POP server the user's name for login, followed by the user's password. > > Here is an example from a local test I did (to be sure it still worked before > I sent this out): > > 01:06:06.677763 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 1:13(12) ack 21 > win 65320 > [email protected]..,b....6.|...n......].P..(....USER bettyboop > > 01:06:06.677782 IP 216.54.43.14.pop3 > 98.23.181.194.61112: . ack 13 win 5840 > E..(....@.@.^h.6.|b....n....].....P....... > 01:06:06.677829 IP 216.54.43.14.pop3 > 98.23.181.194.61112: P 21:26(5) ack 13 > win 5840 > e.....@.@.^b.6.|b....n....].....P.......+OK > > 01:06:06.705538 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 13:26(13) ack > 26 win 65315 > [email protected]..)b....6.|...n......].P..#B$..PASS agu51167 > > As you can see, the user is identified by "USER" and the username > "bettyboop". Then the password is sent to the dovecot server with "PASS" > identification and the actual password "agu51167". > > So - there you go. A method to recover a user's password IF the user still > has a working e-mail client. > > Good luck Kit. > > > > Chuck > > > > P.S. - For the jokers out there - don't bother trying those user names or IP > addresses. I've changed them just enough to prevent any exploitation. Or as > the show stated "The names have been changed to protect the innocent". > > > > > ---------- Original Message ----------- > From: Kit Wong <[email protected]> > To: "[email protected]" <[email protected]> > Sent: Tue, 20 Jul 2010 19:40:57 +0100 > Subject: [BlueOnyx:05079] OT get username + password from pop3 connections > >> Hi all >> >> It may sound stupid but I have a client who has a pop3 connector that >> connects to my bluequartz to pick up emails. The trouble is that he doesn't >> know how to change the password on his system but I had to change it my end >> and I don't know the original one I sent him. >> >> The question is: is there a way to view what his server is using to try to >> authenticate? I know the username and am getting a lot of failures in >> var/log/maillog and also /var/log/messages >> >> It's dovecot / sendmail bluequartz if it helps. I know this >> >> Thanks in advance >> >> It's >> >> _______________________________________________ >> Blueonyx mailing list >> [email protected] >> http://www.blueonyx.it/mailman/listinfo/blueonyx > ------- End of Original Message ------- > > > > _______________________________________________ > Blueonyx mailing list > [email protected] > http://www.blueonyx.it/mailman/listinfo/blueonyx _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
