Hello,

When I analyze POP packets with Wireshark, when I receive emails with Outlook, I can see USER and PASS commands with username and password transmitted unecrypted.

But if I try to get my emails with Thunderbird (without encryption), I CANNOT see in Wireshark USER and PASS commands, and for sure, no username and password !!

But there are new commands :

  • AUTH : PLAIN
  • Request command : AGNsZW1lbnQuYm9ubmFsADJ4cgt0OQ==

I don't understand why, is there a way to get them ??

asked 03 Feb '12, 13:56

Cl%C3%A9ment%20Bonnal's gravatar image

Clément Bonnal
1223
accept rate: 0%


Hello Clément,

the information is Base 64 encoded and can be decoded easily (but Wireshark does not do that for you). The strange output is due to null bytes being present in the decoded string. See RFC 2595 [2] for more information.

echo "AGNsZW1lbnQuYm9ubmFsADJ4cgt0OQ==" | base64 -d
clement.bonnal2xr
                 t9

The plain authentication method only uses one command to transmit the credentials, unlike the login method which uses two commands(user,pass).

[1] http://www.fehcom.de/qmail/smtpauth.html [2] http://tools.ietf.org/html/rfc2595[2]

link

answered 05 Feb '12, 05:28

otr's gravatar image

otr
163
accept rate: 0%

edited 05 Feb '12, 05:30

As the question refers to Outlook, it's likely that the user is on windows without access to the usual Unix utils. A PowerShell equivalent is shown below:

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("AGNsZW1lbnQuYm9ubmFsADJ4cgt0OQ=="))
(06 Feb '12, 07:19) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×15
×6
×6
×1
×1

Asked: 03 Feb '12, 13:56

Seen: 2,083 times

Last updated: 06 Feb '12, 07:20

powered by OSQA