crackpop

Some relative of mine forgot the password to access their e-mail account, but they were still remembering the pattern they used to pick it up, and that pattern could be easily represented by a regular expression. They did not have a backup email address to be able to use the password-reset mechanism.

So I hacked up a script to generate the list of strings matchable by the said regex, and use them as passwords for a dictionary based attack via POP3.

It worked. The regex generated about 300 strings, and at only 20% of the whole brute forcing process the password was found.

I am sharing the crackpop script in case someone will need to crack their own POP3 account...

With the cool exrex python module, generating the strings was a breeze.

I also took a look at the wordlist rules syntax supported by john the ripper, but it was an overkill for my simple use case.

A curious note

A thing I discovered by chance, by misspelling the username in one of my tests with different POP3 servers: the POP3 server of libero.it makes it possible to differentiate between these cases:

  • access failed because of an invalid user;
  • access failed because of an invalid password.

Different error codes are returned for the two cases, more details in the crackpop README file.


CommentsSyndicate content

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
m
j
M
g
V
1
Enter the code without spaces.