1 If you forgot the password of your pop3 account but you remember the rule or
2 the pattern you used to create it, crackpop can help you to recover the
5 Just build up a regular expression that you think matches the password and
6 crackpop will try to generate all the strings matchable by the regular
7 expression and try to access your pop3 account with them.
9 As an example let's try to hack Randall Munroe's account:
12 --host popmail.xkcd.example.net \
14 --pattern "[Cc]orrect [Hh]orse [Bb]attery [Ss]taple"
19 crackpop uses the 'exrex' python module, in case it is not packaged for your
20 system you can get it with 'pip'; example for Debian based systems:
22 $ sudo aptitude install python-pip
23 $ sudo pip install exrex
28 The program always prints out the error status on failed authentication
29 attempts in order to let the user know what is going on.
31 This is because some POP3 servers may be more creative than others, and
32 sometimes it is possible to differentiate between authentication events only
33 by looking at the error message.
35 For instance popmail.libero.it is quite weird, this is what happens:
37 - When the username is wrong the server replies with and expected:
39 -ERR [AUTH] invalid user or password
41 - When the username is right but the password is wrong the server replies
42 with an information-leaking:
44 -ERR ERROR 119 invalid user or password err 30
46 - When the password is right the server replies with:
48 -ERR [AUTH] POP3 access not allowed
50 because it does not allow POP3 operations from users on networks different
51 from its own (but it still allows _connections_ from other networks tho).
53 Yes, with pomail.libero.it it is possible to differentiate the "invalid user"
54 case from the "invalid password" one.