zerodumb@hacking-journal:~/tools$
Roundcube Password Decryption Tool
· 12 min read
forensicscryptographypythonwebmaildecryption
“Sometimes the most valuable secrets are hidden in plain sight, just waiting for the right key.”
Webmail systems often store sensitive data in ways that seem secure at first glance, but understanding how they work can reveal vulnerabilities in their implementation. This Roundcube decryption tool emerged from analyzing session data and discovering that the webmail client was storing passwords using a predictable encryption scheme. It’s a forensic tool designed to understand and recover data from Roundcube sessions.
What This Script Does
This isn’t just another decryption tool. It’s a comprehensive forensic analysis script that:
- Decrypts Roundcube passwords using DES3 encryption with multiple modes
- Tests multiple decryption methods including ECB and CBC modes
- Analyzes decrypted data to determine validity and encoding
- Handles various padding strategies for different encryption implementations
- Provides detailed debugging information for forensic analysis
- Supports multiple input formats for flexible usage scenarios
Download
Key Features
Multiple Decryption Methods
The script doesn’t rely on a single approach. It systematically tests:
- DES3 ECB mode: Most common Roundcube implementation
- DES3 CBC mode: Alternative with null initialization vector
- Multiple padding strategies: PKCS#5, null padding, and raw data
- Common key variations: Tests different key lengths and formats
Intelligent Data Analysis
def analyze_decrypted_data(data):
"""Analyze decrypted data to determine if it's valid"""
# Try UTF-8 decoding
utf8_text = data.decode('utf-8', errors='ignore')
# Check if printable
if is_printable(utf8_text):
return utf8_text, "UTF-8 printable text"
# Check if hex data
hex_str = data.hex()
if all(c in '0123456789abcdefABCDEF' for c in hex_str):
return hex_str, "Hexadecimal data"
# ASCII with escape sequences
ascii_text = ''.join(chr(b) if 32 <= b <= 126 else f'\\x{b:02x}' for b in data)
return ascii_text, "ASCII with escape sequences"
Comprehensive Error Handling
- Missing dependencies: Graceful handling of pycryptodome/pycrypto
- Invalid inputs: Proper validation of base64 and key formats
- Decryption failures: Detailed error reporting for debugging
- Multiple fallback strategies: Tries different approaches when one fails
Usage
Basic Usage
# Use default example password and key
python decrypt_roundcube.py
# With custom encrypted password
python decrypt_roundcube.py "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
# With custom password and DES key
python decrypt_roundcube.py "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/" "rcmail-!24ByteDESkey*Str"
# Using named arguments
python decrypt_roundcube.py --encrypted "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/" --key "rcmail-!24ByteDESkey*Str"
# Verbose output to see all attempts
python decrypt_roundcube.py --verbose
Prerequisites
# Install required dependency (recommended)
pip install pycryptodome
# Alternative (deprecated but sometimes available)
pip install pycrypto
Example Output
=== Roundcube Password Decryption Tool ===
Encrypted password: L7Rv00A8TuwJAr67kITxxcSgnIk25Am/
DES key: rcmail-!24ByteDESkey*Str
=== SUCCESSFUL DECRYPTIONS ===
Password: 28(6tJ5595mO8DmwGeD
Method: DES3 CBC mode with null IV
Analysis: PKCS#5 padding removed - UTF-8 printable text
Debug information:
Decoded data length: 24 bytes
Decoded data (hex): 2fb46fd3403c4eec0902bebb9084f1c5c4a09c8936e409bf
Data length is valid for DES3 (24 bytes = 3 blocks)
How It Works
1. Base64 Decoding
# Decode the encrypted password from base64 format
data = b64decode(enc_password)
2. DES3 Decryption
# Create cipher based on mode
if mode == 'ECB':
cipher = DES3.new(des_key, DES3.MODE_ECB)
elif mode == 'CBC':
cipher = DES3.new(des_key, DES3.MODE_CBC, iv)
3. Padding Removal
# Try PKCS#5 padding removal
pad_len = plain[-1]
if 1 <= pad_len <= 8:
if all(plain[-i] == pad_len for i in range(1, pad_len + 1)):
unpadded = plain[:-pad_len]
4. Data Analysis
The script analyzes decrypted data to determine:
- UTF-8 printable text: Most common for passwords
- Hexadecimal data: Sometimes used for binary data
- ASCII with escapes: Mixed printable/non-printable characters
Common Use Cases
Session Analysis
# Decrypt passwords from Roundcube session dumps
python decrypt_roundcube.py "encrypted_password_from_session"
Forensics
# Extract credentials from captured session data
python decrypt_roundcube.py "base64_encoded_password" "known_des_key"
Testing
# Verify encryption/decryption functionality
python decrypt_roundcube.py --verbose
Research
# Understand Roundcube's password storage mechanism
python decrypt_roundcube.py "test_password" "test_key"
Code Preview
#!/usr/bin/env python3
"""
Roundcube Password Decryption Script
Decrypts passwords stored in Roundcube session data using DES3 encryption.
"""
import sys
import base64
import binascii
import argparse
from base64 import b64decode
def try_pycryptodome():
"""Try to import from pycryptodome"""
try:
from Crypto.Cipher import DES3
return DES3
except ImportError:
return None
def decrypt_roundcube_password(enc_password, des_key, mode='ECB', iv=None):
"""
Decrypt Roundcube password using DES3
Args:
enc_password (str): Base64 encoded encrypted password
des_key (bytes): DES3 key (24 bytes)
mode (str): Encryption mode ('ECB' or 'CBC')
iv (bytes): Initialization vector for CBC mode
Returns:
list: List of (decrypted_data, analysis_result) tuples
"""
try:
# Get DES3 module
DES3 = try_pycryptodome()
if DES3 is None:
DES3 = try_pycrypto()
if DES3 is None:
return [(None, "Library not available")]
# Decode base64
try:
data = b64decode(enc_password)
except Exception as e:
return [(None, f"Failed to decode base64: {e}")]
# Create cipher based on mode
if mode == 'ECB':
cipher = DES3.new(des_key, DES3.MODE_ECB)
elif mode == 'CBC':
if iv is None:
iv = b"\x00" * 8
cipher = DES3.new(des_key, DES3.MODE_CBC, iv)
else:
return [(None, f"Unsupported mode: {mode}")]
# Decrypt and analyze
plain = cipher.decrypt(data)
results = []
# Try different padding removal strategies
# ... padding removal logic
return results
except Exception as e:
return [(None, f"Unexpected error: {e}")]
def main():
"""Main function"""
args = parse_arguments()
print("=== Roundcube Password Decryption Tool ===\n")
print(f"Encrypted password: {args.encrypted_password}")
print(f"DES key: {args.des_key}")
print()
# Test different keys and modes
keys = [args.des_key.encode('utf-8')]
modes = [
('ECB', 'DES3 ECB mode (most common)'),
('CBC', 'DES3 CBC mode with null IV')
]
# ... decryption logic
if successful_results:
print("=== SUCCESSFUL DECRYPTIONS ===")
for result, method, analysis in successful_results:
print(f"Password: {result}")
print(f"Method: {method}")
print(f"Analysis: {analysis}")
else:
print("All decryption methods failed!")
if __name__ == "__main__":
main()
Ethical Considerations
This script is designed for:
- Forensic analysis of captured session data
- Security research on webmail implementations
- Educational purposes in cryptography
- Authorized penetration testing
Important Notes:
- Only use on data you own or have explicit permission to analyze
- Respect privacy and data protection laws
- Use responsibly and ethically
- This tool is for understanding, not exploitation
Troubleshooting
Missing Dependencies
# Install pycryptodome (recommended)
pip install pycryptodome
# Alternative (deprecated)
pip install pycrypto
No Results Found
- Check if the encrypted password format is correct
- Verify the DES key is correct for your Roundcube installation
- Try different encryption modes or padding strategies
- Ensure the password isn’t encrypted with additional layers
Invalid Base64
# Verify the encrypted password is properly base64 encoded
echo "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/" | base64 -d
Password doesn’t work Roundcube adds junk text to their encoding as of the release of this tool. you will need to remove one character at a time, perhaps from either end, until log in success. I had to remove 5 characters, from the beginning of the decrypted password, on last use.
Library Import Errors
# Check available cryptography libraries
python -c "import Crypto; print('pycryptodome available')"
python -c "import Crypto.Cipher; print('DES3 available')"
Integration with Other Tools
This script works well with:
- Session analysis tools: For extracting encrypted data
- Webmail forensics: For understanding stored credentials
- Cryptography research: For studying encryption implementations
- Penetration testing: For authorized security assessments
Next Steps
After using this script:
- Analyze the decryption method used by your target
- Document the key patterns for future reference
- Research the encryption implementation in Roundcube
- Consider security implications of the encryption scheme
- Report findings responsibly if vulnerabilities are discovered
Remember: This tool is for understanding and research. Always respect privacy and use it only on authorized data.
This script is part of my forensic toolkit for understanding webmail security implementations. It’s designed to be thorough, informative, and respectful of data privacy. Use it responsibly.
Question loudly so others can learn quietly. Stay curious. Stay loud.
Don’t Be A Skid -Zero