crackpop
Some relative of mine forgot the password to access their e-mail account, but they were still remembering the pattern they used to pick it up, and that pattern could be easily represented by a regular expression. They did not have a backup email address to be able to use the password-reset mechanism.
So I hacked up a script to generate the list of strings matchable by the said regex, and use them as passwords for a dictionary based attack via POP3.
It worked. The regex generated about 300 strings, and at only 20% of the whole brute forcing process the password was found.
I am sharing the crackpop script in case someone will need to crack their own POP3 account...
With the cool exrex python module, generating the strings was a breeze.
I also took a look at the wordlist rules syntax supported by john the ripper, but it was an overkill for my simple use case.
A curious note
A thing I discovered by chance, by misspelling the username in one of my tests with different POP3 servers: the POP3 server of libero.it makes it possible to differentiate between these cases:
- access failed because of an invalid user;
- access failed because of an invalid password.
Different error codes are returned for the two cases, more details in the crackpop README file.
![[RSS Valido]](https://ao2.it/sites/default/files/valid-rss-rogers.png "Valida il feed RSS")
Commenti
Invia nuovo commento