Created
February 24, 2014 05:48
-
-
Save brad-jones/9182585 to your computer and use it in GitHub Desktop.
IMAP/POP3 Password Recovery
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // Read in the users to find passwords for. | |
| $users = array(); | |
| foreach (file('users-to-find.txt') as $line) | |
| { | |
| $users[] = trim($line); | |
| } | |
| // Create the tcpdump command to search for all pop3 and imap login traffic | |
| $cmd = popen('/usr/sbin/tcpdump -i any port pop3 or port imap -l -A | /bin/egrep -i \'user |pass |LOGIN ".*" ".*"\' --line-buffered', 'r'); | |
| // Create some variables we will use in the loop below | |
| $found = array(); | |
| $found_users = 0; | |
| $total_users = count($users); | |
| $temp_user = null; | |
| $keep_looking = true; | |
| $looking_for_password = false; | |
| // Start the loop | |
| while ($keep_looking) | |
| { | |
| // Read in a line from the tcpdump output | |
| $dump = fgets($cmd); | |
| // First lets check for an IMAP login | |
| preg_match('/LOGIN "(.*)" "(.*)"/', $dump, $matches); | |
| if (count($matches) > 0) | |
| { | |
| /* | |
| * IMAP logins are easy as they provide the | |
| * user and pass in the one connection. | |
| */ | |
| $results = array | |
| ( | |
| 'username' => trim($matches[1]), | |
| 'password' => trim($matches[2]) | |
| ); | |
| if (in_array($results['username'], $users)) | |
| { | |
| if (!in_array($results['username'], $found)) | |
| { | |
| $found[] = $results['username']; | |
| $found_users++; | |
| $fp = fopen('results.csv', 'a'); | |
| fputcsv($fp, $results); | |
| echo "$found_users/$total_users - IMAP\n"; | |
| } | |
| } | |
| } | |
| /* | |
| * POP3 logins provide the user and pass over 2 diffrent connections. | |
| * Thus we have to collect the 2 parts seperatly. We assume the password | |
| * for a found user directly follows it. This may not work on a really | |
| * busy POP3 server but so far it's worked for me. | |
| */ | |
| if ($looking_for_password) | |
| { | |
| // Check for a POP3 Password | |
| preg_match('/PASS (.*)/', $dump, $matches); | |
| if (count($matches) > 0) | |
| { | |
| $results = array | |
| ( | |
| 'username' => $temp_user, | |
| 'password' => trim($matches[1]) | |
| ); | |
| $found[] = $temp_user; | |
| $temp_user = null; | |
| $looking_for_password = false; | |
| $found_users++; | |
| $fp = fopen('results.csv', 'a'); | |
| fputcsv($fp, $results); | |
| echo "$found_users/$total_users - POP3\n"; | |
| } | |
| } | |
| else | |
| { | |
| // Check for a POP3 User | |
| preg_match('/USER (.*)/', $dump, $matches); | |
| if (count($matches) > 0) | |
| { | |
| $user = trim($matches[1]); | |
| if (in_array($user, $users)) | |
| { | |
| if (!in_array($user, $found)) | |
| { | |
| $looking_for_password = true; | |
| $temp_user = $user; | |
| } | |
| } | |
| } | |
| } | |
| if ($found_users == $total_users) | |
| { | |
| $keep_looking = false; | |
| } | |
| } | |
| echo 'ALL DONE!'."\n\n"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a really quick and dirty script that scrapes the passwords of IMAP and POP3 accounts from the TCP traffic hitting your server. I found this useful when I needed to do a server migration. Obviously this has to be run on the server that houses the accounts. ie: You can't really hack into someones account with this. It wouldn't work with SSL either.