-
测试环境:
windows2000
advanced server
foxmail4.2
IRIS4.0.0.2
首先我们用
foxmail
来发一封邮件,其间用
EEYE
的安全产品
p>
IRIS
来嗅探整个过程,监听
端口:
p>
25
用
IRI
S
抓下了整个过程,
decode
出如
下结果
220 zzymail6
(IMail 7.11 14811-1) NT-ESMTP Server X1
EHLO darkdeamon
250-zzymail6
says hello
250-SIZE 0
250-8BITMIME
250-DSN
250-ETRN
250-AUTH LOGIN
CRAM-MD5
250-AUTH=LOGIN
250
EXPN
AUTH LOGIN
334
VXNlcm5hbWU6
YXhpc0BwaDRudDBtLm5ldA==
334 UGFzc3dvcmQ6
cWhxxxxxxxxx
----
》这里是我的密码,所以我替换掉了!
235 authenticated
MAIL FROM:
SIZE=2237
250 ok
RCPT TO:
250 ok its for
Data
354 ok, send it; end with .
From:
To: whq_jimmy@
Subject: test
X-mailer:
Foxmail 4.2 [cn]
Mime-Version: 1.0
Content-Type: text/plain;
charset=
Content-Transfer-Encoding:
quoted-printable
Date: Thu, 12 Jun 2003
15:59:9 +0800
whq_jimmy=A3=AC=C4=FA=BA=C3=A3=A1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
< br>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
p>
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
a
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
=09
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=
D6=C2
=C0=F1=A3=A1
=09=09=09=09
=A1=A1=A1=A1=A
1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=B4=CC
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1 axis@
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1
=A1=A1=A1=A1=A1=A1=A1=A1=A12003-06-1
0
.
250 Message queued
QUIT
221 Goodbye
这里我们可以详细看到整个登录和发送邮件的过程!
我的邮件正文是这样的:
whq_jimmy
,您好!
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaa
致
礼!
刺
axis@
2003-06-10
使用这么多
a
就是为了能够在抓包的时候分辨出正文来。
(并不是每个
sn
iffer
都像
IRIS
这样
好的解码效果)
这里我们解释一下登录过程
蓝色的是客户端发送出的命令
红色的是服务端的回应。
SMTP
内部命令在这里就不再详细讲述,大家可以参照
RFC821
和
RFC1869
值得注意的是,这封
E-MAIL<
/p>
采用了
MIME
编码(参见
RFC1341
)
。
p>
MIME
编码一般由两种编码方式:
bas
e64
和
QP(Quote-Printable
)
,
QP
的规则是对资料中
的
7
位无须重复编码,
仅将
8
位数据转成
7
位,
p>
QP
编码适用于非
ASCII
码的文字内容,
例如我
们的中文文件。而
Base64
的规则是将整个文件重新编码成
7<
/p>
位,通常适用于传送二进制文
件。
所以对比上面两个
mail
内容可以看到,中文都被转成了
=A1=A1=A1=A1=A1=A1
=A1
这种
样子。
关注
AUTH LOGIN
334 VXNlcm5hbWU6
YXhpc0BwaDRudDBtLm5ldA==
334
UGFzc3dvcmQ6
cWhxxxxxxxxx
----
》这里是我的密码,所以我替换掉了!
235 authenticated
这一段是我们的密码所在,但是都变成了类似乱码的东西。
<
/p>
实际上这段“乱码”就是
base64
编
码!
而且很无奈的是,
base64
属于简单的对称加密算法!
!
!
那么,要反向破解出明文,就是很简单的事情了!
Base64
编码其实是将
3
个
8
位字节转换为<
/p>
4
个
6
位字节<
/p>
,( 3*8 = 4*6 = 24 )
这
< br>4
个六位字节
其
实仍然是
8
位
,
只不过高两位被设置为
0.
当一个字节只有
p>
6
位有效时
,
它的
取值空间为
0
到
< br>2
的
6
次方减
< br>1
即
63,
也就是说被转换的
Base64
编码的每一个编码的取值空间为
< br>(0~63)
。
用一段转换的函数来说明就是
unsigned char rev(char t)
{
if(t>='A' && t<='Z')
return t-'A';
}
if(t>='a' && t<='z')
return t-'a'+26;
if(t>='0' && t<='9')
return t-'0'+52;
if(t=='+') return 62;
if(t=='/') return 63;
所以很简单的将
base64
码反向解出来我们就
看到了
AUTH LOGIN
334 VXNlcm5hbWU6
----
》
334
username
:
YXhpc0BwaDRudDBtLm5ldA==
----
》
axis@
334
UGFzc3dvcmQ6 ----
》
334
password
:
cWhxxxxxxxxx
----
》这里是我的密码,所以我替换掉了!
235 authenticated
这样看就很清楚了吧!把密码替换出来就得到了邮件的密码了!
***
这里还有个很简便的方法,
把上述邮件内容另寸为
eml
文件,
正文用你想解码的
base64
密文代替,再用
outlook
express
打开,就可以直接得到明文了!
知道了发送邮件的过程后,我们甚至可以手动
telnet
到
smtp
服务
器上去发送邮件,当然,
身份验证那部分我们需要提交
base
64
编码过后的密码。
如下:
而
pop3
协议则更加危险,它的密码是以明文的形式在网络中传播的。
(
POP3
请参见
RFC1939
)
p>
我们同样用
I
RIS
嗅探
foxmail
收信过程如
下:
+OK X1 NT-
POP3 Server zzymail6 (IMail 7.11 10323-1)
USER axis@
+OK send your
password
PASS xxxxxxxxx
------
》这里是明文的密码,被我替换掉了
+OK maildrop locked and ready
STAT
+OK 61 1119827
UIDL
+OK 61 messages
(1119827 octets)
1 350207777
2 350207778
3 350207779
4 350207780
5 350207781
6 350207782
7 350207783
8 350207784
9 350207785
10 350207786
11 350207787
12 350207788
13 350207789
14 350207790
15 350207791
16 350207792
17 350207793
18 350207794
19 350207795
20 350207796
21 350207797
22 350207798
23 350207799
24 350207800
25 350207801
26 350207802
27 350207803
28 350207804
29 350207805
30 350207806
31 350207807
32 350207808
33 350207809
34 350207810
35 350207811
36 350207812
37 350207813
38 350207814
39 350207815
40 350207816
41 350207817
42 350207818
43 350207819
44 350207820
45 350207821
46 350207822
47 350207823
48 350207824
49 350207825
50 350207826
51 350207827
52 350207828
53 350207829
54 350207830
55 350207831
56 350207832
57 350207833
58 350207834
59 350207835
60 350207836
61 350207837
.
LIST
+OK 61
messages (1119827 octets)
1 1293
2 1023
3 3910
4
15417
5 27339
6 4653
7 881
8 880
9
1196
10 3976
11 765
12 4835
13 867
14
1101
15 979
16 3063
17 6503
18 6300
19 5839
20 5771
21 1213
22 692
23
5061
24 905
25 6435
26 1181
27 854
28
1025
29 1665
30 1264
31 1284
32 6383
33 1285
34 2244
35 1968
36 1412
37 74132
38 1477
39 3560
40 1105
41 3624
42 6618
43 3936
44 1876
45 90703
46 500238
47 830
48 1469
49
1922
50 4254
51 4269
52 99913
53 76395
54 17183
55 4054
56 81736
57 2780
58 1984
59 2011
60 286
61 2010
.
RETR 61
+OK 2010 octets
Received: from darkdeamon
[202.117.44.160] by with ESMTP
(SMTPD32-7.11 ) id AA2C12D00DA; Thu, 12 Jun
2003 16:30:36 +0800
From:
To: axis@
Subject: Re: test
X-mailer: Foxmail 4.2 [cn]
Mime-Version: 1.0
Content-
Type: text/plain;
charset=
Content-Transfer-Encoding:
quoted-printable
Date: Thu, 12 Jun 2003
16:31:46 +0800
Message-Id:
<00876@darkdeamon>
X-RCPT-TO:
Status: U
X-UIDL: 350207837
tt,=C4=FA=BA=C3=A3=A1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
< br>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaa
=09=09=09
=A1=A1=A1=A1=A1=A1=A1=A1=A1
=A1=A1=A1=A1=A1=A1=A1=D6=C2
=C0=F1=A3=A1
=09=09=09=09
=A1=A1=A1=A1=A
1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=B4=CC
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1 tt@
=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A1=A
1=A1=A1=A1=A1=A1=A1=A1=A12003-06-1
1
-
-
-
-
-
-
-
-
-
上一篇:大学英语精读第四册教案
下一篇:英语日常生活中使用的短句