Many people are used to making Outlook remember their passwords, so they do not have to enter their email passwords every time they receive emails. However, after a long period of time, the careless person will forget his or her mailbox password, so that he cannot reset or log on to the Web interface to receive emails. Outlook will never tell you what the password is, even if you find the key value of the Outlook storage account and password information in the registry, because the password information is encrypted and stored, you still cannot extract the password. Our Countermeasure is to take actions against the weakest security mechanism in the mailbox service ...... As we all know, POP3 is essentially a plaintext Protocol. That is to say, although the password stored locally in Outlook is encrypted, when it is connected to the POP3 server to receive emails, the password must be provided in plain text. Therefore, as long as we develop a POP3 server (not a fully functional POP3 server, we only need to cheat Outlook), let Outlook receive emails from this server, outlook will hand over the encrypted password. In fact, this method not only applies to Outlook, but also to all mail customer programs that use POP3, such as Outlook Express and Foxmail. 1. Construct a POP3 server
Next we will use. NET 2003 and C # develop a "pseudo" POP3 server-the reason for saying that it is "pseudo" is that it only has extremely limited functions, and it only stops when the mailbox password is cheated. Start VS. NET 2003, create a C # project, select "console application" as the project template, name the project PServer, and click "OK" to create the project, as shown in 1:
Figure 1 create a C # project
VS. NET automatically creates the PServer namespace, Class1 class, and Main function skeleton. Add the following three statements after the using System statement at the top of the Class1.cs file:
Using System. Net;
Using System. Net. Sockets;
Using System. Text;
The next task is to modify the Main function so that it can be used as a POP3 server to listen to requests from Outlook. When Outlook tries to connect to this PServer, according to the requirements of POP3 protocol, confirm the account name provided by the Outlook user and ask for a password. After Outlook provides a password, we can output the password on the console. This completes the task!
In the Main function, our first task is to start a POP3 server. To this end, we need to create an ipEndPoint for the class defined in the System. Net. Sockets namespace so that a TCP server can listen to this endpoint and receive requests from the client:
// Create a TCP server on 127.0.0.1 (Local Machine) and listen
// 110 port requests (110 is the default port of the POP3 server)
IPEndPoint ipEndPoint = new IPEndPoint (IPAddress. Parse ("127.0.0.1"), 110 );
TcpListener tcpServer = new TcpListener (ipEndPoint );
TcpServer. Start ();
// Wait for connection requests from POP3 client programs (such as Outlook)
TcpClient tcpClient = tcpServer. AcceptTcpClient ();
When a POP3 client program connects to the server, the server must respond to the client program as required by the POP3 protocol. According to the definition in RFC 1939 of POP3, the server first needs to return a welcome message:
// Return welcome information to the customer Program
NetworkStream ns = tcpClient. GetStream ();
Byte [] outbytes = Encoding. ASCII. GetBytes ("+ OK Welcome" + Environment. NewLine );
Ns. Write (outbytes, 0, outbytes. Length );
After receiving the welcome information, the customer program also sends the account name as required by the POP3 protocol. We record the account name for future use. The Code is as follows:
// Receive and record the email account name
Byte [] userBytes = new byte [1, 255];
Ns. Read (userBytes, 0, userBytes. Length );
After receiving the account name information, we want to tell Outlook that the name is correct. Once the customer program receives this information, it will send the password, and then record the password. The implementation code is:
// Tell the client that the program account name is correct
Outbytes = Encoding. ASCII. GetBytes ("+ OK" + Environment. NewLine );
Ns. Write (outbytes, 0, outbytes. Length );
// Receive and record the account password
Byte [] pwdBytes = new byte [1, 255];
Ns. Read (pwdBytes, 0, pwdBytes. Length );
The next step is to get the contents of the byte array, convert them into strings, and then output them to the console:
// Display the account name and password on the console
Console. WriteLine ("Account name:" + Encoding. ASCII. GetString (userBytes ));
Console. WriteLine ("account password:" + Encoding. ASCII. GetString (pwdBytes ));
Now that the password has been obtained and the server task has been completed, you can close it now. Forcible server shutdown may cause the client program to display an error message, but we don't care about it here. The code for disabling the server is:
// Close the server
Ns. Close ();
TcpClient. Close ();
TcpServer. Stop ();
After inputting all the codes of the primary node to the main‑level, compile and compile the execution file pserver.exe, which is our pseudo POP3 server. PServer.exe is small and the release version is only 16 KB.
2. Obtain the password
Start pserver.exe first, and let our pseudo POP3 server start listening for requests from the client program.
Start Outlook, click "Tools> email account" in the menu, and select "view or change existing email account" to find the email account for password restoration, click "change" to open its properties dialog box. 2. Set the POP3 server to localhost:
Figure 2 Change Outlook Email account
Receive an email in Outlook. As shown in 3, Outlook will report that the server has interrupted the connection and ignore it.
Figure 3 Outlook has sent the password to the pseudo POP3 server
Now pserver.exe has obtained the account password. 4 shows that the abc account password is originally abcdefg:
Figure 4 username and password returned by the pseudo POP3 server
3. Use sniffing tools
Based on the POP3 PASSWORD transmitted in plain text on the network, we can also use the sniffer tool to analyze the TCP/IP communication process to obtain the account password. If you do not have the VS. NET development tool, you can use this method to obtain the password. Even if you have VS. NET, you can use the sniffer tool to learn more about POP3 communication, and deepen your understanding of POP3 communication. This is very helpful for us to use POP3 protocol programmatically.
There are many sniffing tools that can analyze TCP/IP communication processes. Ethereal is a famous free cross-platform analysis tool. Next we will take it as an example to look at the POP3 communication steps and the process of intercepting the POP3 PASSWORD.
Install WinPcap and Ethereal from http://www.ethereal.com/distribution/win32/download winpcapdriver and ethereal's Windows Software Package (about 300 KB and 8.1 MB respectively.
Start Ethereal and select "Capture> Start". In Figure 5, select the network card that communicates with the Internet in the Interface bar and click "OK.
Figure 5 Ethereal
Start Outlook, use the account with the forgotten password to receive the email (it is not necessary to change the account's POP3 server to localhost), and then click the Stop button in Ethereal. Figure 6 shows the results of a test:
Figure 6 sniffing results
The Ethereal sniffing result shows in detail the process of communication between Outlook and the server. As we described earlier, starting from the No 6 (number in the leftmost column of Figure 7) record, the customer program established a POP3 communication contact with the server: No 6 server replied OK, this indicates that the server is running normally and can provide services. The client program No 7 sends a request to USER ltt, that is, to inform the server's email account of the name ltt. No 8 is TCP communication data, so we do not need to care about it here, no 9 the record server replies "+ OK" (the account name is correct) and requires the ltt account password. No 10 records the message "PASS llll" sent by the client program ", among them, llll is the password to be searched. The No 11 Record server replied OK, No 12 Record the request sent by the client program to STAT. The STAT Command requires the server to return the number of mails and occupy space in a standard format, no 13 the record server replied that the number of mails is 0 and the occupied space is 0. Finally, No 14 recorded that the client program sent the QUIT end session request, no 15 records the server end session-this is a complete POP3 communication process.
When your password is lost, use your brains to find another path. In fact, you can grasp everything on your own.
The source program can be downloaded here.