Identifying mail account used in CRAM-MD5 transaction
Posted
by ManiacZX
on Server Fault
See other posts from Server Fault
or by ManiacZX
Published on 2010-03-30T21:06:08Z
Indexed on
2010/03/30
21:13 UTC
Read the original article
Hit count: 546
I suppose this is one of those where the tool for identifying the problem is also the tool used for taking advantage of it.
I have a mail server that I am seeing emails that spam is being sent through it. It is not an open relay, the messages in question are being sent by someone authenticating to the smtp with CRAM-MD5.
However, the logs only capture the actual data passed, which has been hashed so I cannot see what user account is being used.
My suspicion is a simple username/password combo or a user account's password has otherwise been compromised, but I cannot do much about it without knowing what user it is. Of course I can block the IP that is doing it, but that doesn't fix the real problem.
I have both the CRAM-MD5 Base64 challenge string and the hashed client auth string containing the username, password and challenge string.
I am looking for a way to either reverse this (which I haven't been able to find any information on) or otherwise I suppose I need a dictionary attack tool designed for CRAM-MD5 to run through two lists, one for username and one for password and the constant of the challenge string until it finds a matching result of the authentication string I have logged.
Any information on reversing using the data I have logged, a tool to identify it or any alternative methods you have used for this situation would be greatly appreciated.
© Server Fault or respective owner