电子邮件密码破解教程.docx
《电子邮件密码破解教程.docx》由会员分享,可在线阅读,更多相关《电子邮件密码破解教程.docx(20页珍藏版)》请在冰豆网上搜索。
电子邮件密码破解教程
测试环境:
windows2000advancedserver
foxmail4.2
IRIS4.0.0.2
首先我们用foxmail来发一封邮件,其间用EEYE的安全产品IRIS来嗅探整个过程,监听端口:
25
用IRIS抓下了整个过程,decode出如下结果
220zzymail6(IMail7.1114811-1)NT-ESMTPServerX1
EHLOdarkdeamon
250-zzymail6sayshello
250-SIZE0
250-8BITMIME
250-DSN
250-ETRN
250-AUTHLOGINCRAM-MD5
250-AUTH=LOGIN
250EXPN
AUTHLOGIN
334VXNlcm5hbWU6
YXhpc0BwaDRudDBtLm5ldA==
334UGFzc3dvcmQ6
cWhxxxxxxxxx----》这里是我的密码,所以我替换掉了!
235authenticated
MAILFROM:
SIZE=2237
250ok
RCPTTO:
250okitsfor
Data
354ok,sendit;endwith.
From:
"=?
GB2312?
Q?
=B4=CC?
="
To:
whq_jimmy@
Subject:
test
X-mailer:
Foxmail4.2[cn]
Mime-Version:
1.0
Content-Type:
text/plain;
charset="GB2312"
Content-Transfer-Encoding:
quoted-printable
Date:
Thu,12Jun200315:
59:
9+0800
whq_jimmy=A3=AC=C4=FA=BA=C3=A3=A1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
=09
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=D6=C2
=C0=F1=A3=A1
=09=09=09=09
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=B4=CC
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1axis@
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A12003-06-10
.
250Messagequeued
QUIT
221Goodbye
这里我们可以详细看到整个登录和发送邮件的过程!
我的邮件正文是这样的:
whq_jimmy,您好!
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
致
礼!
刺
axis@
2003-06-10
使用这么多a就是为了能够在抓包的时候分辨出正文来。
(并不是每个sniffer都像IRIS这样好的解码效果)
这里我们解释一下登录过程
蓝色的是客户端发送出的命令
红色的是服务端的回应。
SMTP内部命令在这里就不再详细讲述,大家可以参照RFC821和RFC1869
值得注意的是,这封E-MAIL采用了MIME编码(参见RFC1341)。
MIME编码一般由两种编码方式:
base64和QP(Quote-Printable),QP的规则是对资料中的7位无须重复编码,仅将8位数据转成7位,QP编码适用于非ASCII码的文字内容,例如我们的中文文件。
而Base64的规则是将整个文件重新编码成7位,通常适用于传送二进制文件。
所以对比上面两个mail内容可以看到,中文都被转成了=A1=A1=A1=A1=A1=A1=A1这种样子。
关注
AUTHLOGIN
334VXNlcm5hbWU6
YXhpc0BwaDRudDBtLm5ldA==
334UGFzc3dvcmQ6
cWhxxxxxxxxx----》这里是我的密码,所以我替换掉了!
235authenticated
这一段是我们的密码所在,但是都变成了类似乱码的东西。
实际上这段“乱码”就是base64编码!
而且很无奈的是,base64属于简单的对称加密算法!
!
!
那么,要反向破解出明文,就是很简单的事情了!
Base64编码其实是将3个8位字节转换为4个6位字节,(3*8=4*6=24)这4个六位字节其实仍然是8位,只不过高两位被设置为0.当一个字节只有6位有效时,它的取值空间为0到2的6次方减1即63,也就是说被转换的Base64编码的每一个编码的取值空间为(0~63)。
用一段转换的函数来说明就是
unsignedcharrev(chart)
{if(t>='A'&&t<='Z')
returnt-'A';
if(t>='a'&&t<='z')
returnt-'a'+26;
if(t>='0'&&t<='9')
returnt-'0'+52;
if(t=='+')return62;
if(t=='/')return63;
}
所以很简单的将base64码反向解出来我们就看到了
AUTHLOGIN
334VXNlcm5hbWU6----》334username:
YXhpc0BwaDRudDBtLm5ldA==----》axis@
334UGFzc3dvcmQ6----》334password:
cWhxxxxxxxxx----》这里是我的密码,所以我替换掉了!
235authenticated
这样看就很清楚了吧!
把密码替换出来就得到了邮件的密码了!
***这里还有个很简便的方法,把上述邮件内容另寸为eml文件,正文用你想解码的base64密文代替,再用outlookexpress打开,就可以直接得到明文了!
知道了发送邮件的过程后,我们甚至可以手动telnet到smtp服务器上去发送邮件,当然,身份验证那部分我们需要提交base64编码过后的密码。
如下:
而pop3协议则更加危险,它的密码是以明文的形式在网络中传播的。
(POP3请参见RFC1939)
我们同样用IRIS嗅探foxmail收信过程如下:
+OKX1NT-POP3Serverzzymail6(IMail7.1110323-1)
USERaxis@
+OKsendyourpassword
PASSxxxxxxxxx------》这里是明文的密码,被我替换掉了
+OKmaildroplockedandready
STAT
+OK611119827
UIDL
+OK61messages(1119827octets)
1350207777
2350207778
3350207779
4350207780
5350207781
6350207782
7350207783
8350207784
9350207785
10350207786
11350207787
12350207788
13350207789
14350207790
15350207791
16350207792
17350207793
18350207794
19350207795
20350207796
21350207797
22350207798
23350207799
24350207800
25350207801
26350207802
27350207803
28350207804
29350207805
30350207806
31350207807
32350207808
33350207809
34350207810
35350207811
36350207812
37350207813
38350207814
39350207815
40350207816
41350207817
42350207818
43350207819
44350207820
45350207821
46350207822
47350207823
48350207824
49350207825
50350207826
51350207827
52350207828
53350207829
54350207830
55350207831
56350207832
57350207833
58350207834
59350207835
60350207836
61350207837
.
LIST
+OK61messages(1119827octets)
11293
21023
33910
415417
527339
64653
7881
8880
91196
103976
11765
124835
13867
141101
15979
163063
176503
186300
195839
205771
211213
22692
235061
24905
256435
261181
27854
281025
291665
301264
311284
326383
331285
342244
351968
361412
3774132
381477
393560
401105
413624
426618
433936
441876
4590703
46500238
47830
481469
491922
504254
514269
5299913
5376395
5417183
554054
5681736
572780
581984
592011
60286
612010
.
RETR61
+OK2010octets
Received:
fromdarkdeamon[202.117.44.160]bywithESMTP
(SMTPD32-7.11)idAA2C12D00DA;Thu,12Jun200316:
30:
36+0800
From:
"=?
GB2312?
Q?
=B4=CC?
="
To:
axis@
Subject:
Re:
test
X-mailer:
Foxmail4.2[cn]
Mime-Version:
1.0
Content-Type:
text/plain;
charset="GB2312"
Content-Transfer-Encoding:
quoted-printable
Date:
Thu,12Jun200316:
31:
46+0800
Message-Id:
<200306121630828.SM00876@darkdeamon>
X-RCPT-TO:
Status:
U
X-UIDL:
350207837
tt,=C4=FA=BA=C3=A3=A1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
=09=09=09
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=D6=C2
=C0=F1=A3=A1
=09=09=09=09
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=B4=CC
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1tt@tt.tt
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A12003-06-11
.
QUIT
+OKPOP3ServersayingGood-Bye
整个过程应该很清楚了!
+OKX1NT-POP3Serverzzymail6(IMail7.1110323-1)
USERaxis@
+OKsendyourpassword
PASSxxxxxxxxx------》这里是明文的密码,被我替换掉了
+OKmaildroplockedandready
上面的密码是明文显示在网络中传输的,这里被我替换掉了。
讲到这里关于电子邮件的收发应该很清楚了。
不清楚的请参考RFC文档。
那么如何攻击呢?
这里给出几种思路。
注意:
本文不是黑客教程,所以只提供攻击的一些演示和可能性。
1.sniffer
基于共享环境本身就非常好嗅探。
基于交换环境的,则可以先使用arp欺骗,然后再使用sniffer
2.篡改邮件内容
能够截获,那么篡改就不难了。
简单的说就是类似中间人攻击的方法。
具体方法
升级会员 