carnal0wnage [Shared Reader]

Sunday, March 4, 2012

Update - Abusing Password Resets

In July I published an article on Abusing Password Resets. Some Ruby code was provided and it no longer works very well. Gmail has a limitation on POP3 message retrieval, long story short, you can only get around 250 emails. This is pretty annoying when you want to pull down thousands of password reset emails to analyze the plain-text passwords for entropy. So the solution is to use IMAP. 

Here is that code:


Lines 1-3 - Start the script in Ruby, require the necessary libs

Lines 6, 8 - Name the class, instantiate a placeholder for file (could have been done with an instance variable as well).

Lines 10-11 - Method invoked (def initialize) when the class is started, self.lfile is the location of the file we will store our emails in.

Line 13, 18, 21 - Begin, Rescue, End code (mainly so we graciously handle errors)

Line 14 - Instantiate a connection string to Gmail's IMAP server, name it "imap".

Line 16-17 - Provide creds and invoke the check_for_emails method

Lines 24, 33 - define the check_emails_method, take the imap object as input, and close "end" the method.

Lines 25-26 - Select the inbox as the folder to pilfer and then instantiate a msgs object which has the results of all messages that haven't been deleted.
Lines 27-32 - If "msgs" (Array) is empty, print a message saying so, otherwise print that we are grabbing emails and invoke the place_emails_into_files method with both the msgs and imap objects.

Lines 35, 44 - define the method (place_emails_into_file) and close it off.

Line 36 - Iterate thru the msgs array, creating a mid (message id) object.

Lines 37-38 - Fetch the message with the message id (mid) we have created and then chomp any extra space off the end.

Lines 39-41 - Open the emails.txt file in the inbox folder (you've hopefully created) and write the message body into it (appending, NOT overwriting).

Line 43 - Invoke the create_file_with_tokens method.

Lines 46, 56 - define the create_file_with_tokens method and then close it.

Lines 47-49 - Create a new file which will contain the string you are trying to extract (the password) and then open the 'inbox/emails.txt' file for reading. Finally, on line 49 start iterating thru each line of the read_file ('inbox/emails.txt').

Lines 50-51 - Match the string you are looking for, if the m object (result of the match) is of a MatchData type, then put that string (password) into the "tokens.txt" or new_file, file.

Lines 53-55 - Close both files and print that we are done.

This should be able to run in Ruby versions 1.8.7 and greater. Ensure that you put your username and password in place of the ones I've entered on line 16.