Admins eHow SysAdmin Tips & Tricks

September 14, 2011

An analysis of recent security breach to DigiNotar and Man-In-The-Middle attack to Iranian users

Filed under: General,Security — Tags: , , , , , , , — admin @ 9:23 am

As I have received several requests from Iranian readers of my blog, I have done some analysis on recent DigiNotar security breach and MITM attack to Iranian users.
This analysis is based on Fox-IT interim report of breach. You can download the complete report in PDF Format from the following link :

What is MITM attack and how to prevent it ?
MITM stands for Man-In-The-Middle. it simply means someone stands between you and destination and intercepts or modifies your communication. it is quite easy when communication is not encrypted.
SSL protocol is originally invented to address this issue. The idea is that a trusted Authority (CA) authenticates the identity of destination and by using some cryptography protocols your connection to authentic destination becomes encrypted and impossible to intercept or modify.
It has been shown that the cryptography methods like AES or RC4 which are employed to encrypt the data are quite effective and very hard to crack. so the easier solution is to attack the base of trust model, the trusted authorities (CA). In this kind of attacks, hackers break into CA systems and forge valid certificates for themselves so they can impersonate themselves as authentic destinations and intercept the data. this kind of attack is used in both recent incidents, Commodo and DigiNotar.
Although the protocol is almost safe itself, unfortunately many of these CAs are vulnerable themselves making the whole process vulnerable.
The FOX-IT report indicates the DigiNotar systems were using Windows (Which is vulnerable in nature) and passwords has been crackable through brute-force attack. (More on this later)

To understand it better, I have created a diagram of recent MITM attack to Iranian users with the goal of intercepting communications between them and Google. the attackers have been able to gain access to Google accounts of users through this attack :

This diagram is self-explanatory. The attacker in middle impersonates itself as Google and establishes a secure connection to the user which is signed by DigiNotar CA. Although the connection is still secure, but users have a secure connection to the attacker, not real Google. so attacker has access to all information sent by user, including username, passwords, cookies and etc.

March 31, 2010

Check e-mail on a pop3 server using telnet

Filed under: General — Tags: , , , , , , , , , — admin @ 9:44 am

These steps show how to check your e-mail on a pop3 server using a telnet client.

Telnet to the pop3 server.

telnet 110

You should recieve a reply to this effect.

Trying A.B.C.D...
Connected to
Escape character is '^]'.
+OK (rwcrpxc13) POP3 server

if you want to connect to a pop3 SSL server use the following command on a linux shell :

openssl s_client -connect FQDN:PORT

for instance for gmail it is :

openssl s_client -connect

You will get a response like this :

depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
No client certificate CA names sent
SSL handshake has read 1703 bytes and written 300 bytes
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: AF09D6024039D1F70D7A6518034EF3B2E1B949C15A71ED3D0E85BC89F7D4ADC2
    Master-Key: 58D4202B16256CA5715C45B2CDDDFDDC16ABCAEF2A0993D23F3817193AE3F4A4E5531EF13CA970BADD1F8EA273FD6871
    Key-Arg   : None
    Start Time: 1270025037
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
+OK Gpop ready for requests from a.b.c.d q9pf826547gve.29

Enter your username for the pop3 e-mail account using the “user” command.

user username_here

You should recieve the following reply.


Enter your password for the pop3 e-mail account using the “pass” command.

pass password_here

You should recieve the following reply.

+OK Maildrop ready

Stat your mailbox using “stat” command.


You will get response showing the number of messages on the server and total size of them.

+OK 2 9141

List the mail on the pop3 e-mail account using the “list” command.


You will see the list of messages on the server.

+OK scan listing follows
1 1489
2 7652

To see one of the messages issue the retrieve command “retr” and the message id.

retr 1

You will see the whole e-mail headers and all.

+OK 1489 octets
Received: from blah ( [a.b.c.d])
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
with ESMTP id <> for; Wed, 02 Jul 2003 23:54:23 -0400 (EDT)
Date: Wed, 02 Jul 2003 23:52:59 -0400
From: Me
Subject: test
Message-id: <>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Content-disposition: inline
User-Agent: KMail/1.5.1
Original-recipient: rfc822;


If you would like to delete the message issue the dele command with the message id.

dele 1

You will then see a delete confirmation.

+OK message deleted

To finish issue the quit command.


Response :

Connection closed by foreign host.

Powered by WordPress