Just incase someone runs into the error below just do adduser pcap
Fantastic stuff. Thank you all

Sent from my iPhone

On 21 Jul 2010, at 08:19, Kit Wong <[email protected]> wrote:

> Hi Chuck
>
> This is what I get when I use the tcpdump command logged in as root
>
> tcpdump -An host 80.229.58.39 and tcp port 110
> tcpdump: WARNING: arptype 65535 not supported by libpcap - falling back to 
> cooked socket
> Couldn't find user 'pcap'
>
> what does that mean?
>
> Thanks in advance
>
> Kit
> ________________________________________
> From: [email protected] [[email protected]] On Behalf 
> Of Chuck Tetlow [[email protected]]
> Sent: 21 July 2010 07:09
> To: BlueOnyx General Mailing List
> Subject: [BlueOnyx:05082] Re: OT get username + password from pop3      
> connections
>
> OK, yes there is a way to get that.  And maybe I shouldn't be passing along 
> this trick.  But someone needs help.  So I pass it along and just hope no one 
> on this list will abuse this ability.
>
> Log into the server and change user to root.  Once root, you can run a 
> program called "tcpdump".
>
> This program that is built right into most flavors of Linux.  It gives you 
> the ability to pull raw network layer 2 data right out of the interface.  And 
> there a LOT of options to tell it what you want and how to display it.  Most 
> of the data requires knowledge of the Ethernet layer and the TCP protocol of 
> the network layer.  But to get this password, you can look for some key words.
>
> First, to make it easy - get the IP address of that user who is checking his 
> e-mail via POP.  Once you have the IP address of that user, use the command
> tcpdump -An host xxx.xxx.xxx.xxx and tcp port 110
>
> That command will dump the actual raw ASCII data (-A switch) and display in 
> numeric without name lookups (-n switch).  You must tell it the host the 
> connection is coming from with the keyword "host" followed by the IP address. 
>  You are filtering further by telling it "and" to add another filter rule, 
> and "tcp port 110" is the port the POP3 protocol operates on.
>
> What you'll wind up with is data from the TCP port 110 connection coming from 
> that user.  But you get everything - all the TCP handshakes as it sets up the 
> connection, checks the mail, and clears the connection.  It could result in a 
> lot of lines of data.  Hopefully, it will only be 20 lines per POP check (if 
> there was no e-mai).
>
> Look in the lines of ASCII data for the keywords "USER" and a few lines down 
> "PASS".  This is the originating computer's e-mail client telling the dovecot 
> POP server the user's name for login, followed by the user's password.
>
> Here is an example from a local test I did (to be sure it still worked before 
> I sent this out):
>
> 01:06:06.677763 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 1:13(12) ack 21 
> win 65320
> [email protected]..,b....6.|...n......].P..(....USER bettyboop
>
> 01:06:06.677782 IP 216.54.43.14.pop3 > 98.23.181.194.61112: . ack 13 win 5840
> E..(....@.@.^h.6.|b....n....].....P.......
> 01:06:06.677829 IP 216.54.43.14.pop3 > 98.23.181.194.61112: P 21:26(5) ack 13 
> win 5840
> e.....@.@.^b.6.|b....n....].....P.......+OK
>
> 01:06:06.705538 IP 98.23.181.194.61112 > 216.54.43.14.pop3: P 13:26(13) ack 
> 26 win 65315
> [email protected]..)b....6.|...n......].P..#B$..PASS agu51167
>
> As you can see, the user is identified by "USER" and the username 
> "bettyboop".  Then the password is sent to the dovecot server with "PASS" 
> identification and the actual password "agu51167".
>
> So - there you go.  A method to recover a user's password IF the user still 
> has a working e-mail client.
>
> Good luck Kit.
>
>
>
> Chuck
>
>
>
> P.S. - For the jokers out there - don't bother trying those user names or IP 
> addresses.  I've changed them just enough to prevent any exploitation.  Or as 
> the show stated "The names have been changed to protect the innocent".
>
>
>
>
> ---------- Original Message -----------
> From: Kit Wong <[email protected]>
> To: "[email protected]" <[email protected]>
> Sent: Tue, 20 Jul 2010 19:40:57 +0100
> Subject: [BlueOnyx:05079]  OT get username + password from pop3 connections
>
>> Hi all
>>
>> It may sound stupid but I have a client who has a pop3 connector that 
>> connects to my bluequartz to pick up emails. The trouble is that he doesn't 
>> know how to change the password on his system but I had to change it my end 
>> and I don't know the original one I sent him.
>>
>> The question is: is there a way to view what his server is using to try to 
>> authenticate? I know the username and am getting a lot of failures in 
>> var/log/maillog and also /var/log/messages
>>
>> It's dovecot / sendmail bluequartz if it helps. I know this
>>
>> Thanks in advance
>>
>> It's
>>
>> _______________________________________________
>> Blueonyx mailing list
>> [email protected]
>> http://www.blueonyx.it/mailman/listinfo/blueonyx
> ------- End of Original Message -------
>
>
>
> _______________________________________________
> Blueonyx mailing list
> [email protected]
> http://www.blueonyx.it/mailman/listinfo/blueonyx

_______________________________________________
Blueonyx mailing list
[email protected]
http://www.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to