APR-POP3S enables the capture and the decryption of POP3S traffic between hosts. It works in conjunction with Cain's Certificate Collector to inject fake certificates into SSL sessions, previously hijacked by mean of APR. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination performing a what so called Man-in-the-Middle attack.

 

Actually this feature support "implicit" POP3S protocol only which by default use TCP port 995. You can grab and prepare spoofed certificates in advance using Cain's Certificate Collector as show in the following picture.

 

 

 

Prerequisites  

This feature needs APR to be enabled and a Man-in-the-Middle condition between the POP3S server and the victim host.

APR SSL spoofing features requires a direct TCP/IP connection between the attacker machine and the SSL enabled server. To handle spoofed communications Cain must be able to reach the remote SSL server without the use of proxy servers.

Limitations

This feature does not work like a PROXY server; because of the usage of the Winpcap driver it cannot decrypt POP3S sessions initiated from the local host.

Usage

After you successfully set up APR enabling POP3S sniffer filter, sessions are automatically saved in the POP3S subdirectory and can be viewed using the relative function within the list pop up menu.