This tool helps recover passwords stored in Roundcube IMAP configuration files, assisting security professionals in audits and penetration tests.
Decrypt Roundcube Webmail session-passwords and config.inc.php credentials using Triple DES (3DES / DES-EDE3).
Roundcube is an open-source IMAP webmail client. User credentials are stored in `config.inc.php` or session variables as encrypted strings. These use Triple DES (3DES) encryption. To recover a password, both the encryption key and the stored value are required. This tool allows administrators and security researchers to decode passwords and inspect stored credentials securely.
Input:
DES-EDE3-key: my_secret_key Encrypted password: my_encrypted_password
Output:
Decrypted password: my_decrypted_password
What is Roundcube Webmail?
Roundcube is a browser-based IMAP client used by hosting providers and organizations to manage emails securely.
Where are credentials stored?
User credentials are saved in `config.inc.php` or session variables. They are encrypted using Triple DES (3DES) in CBC mode and often base64-encoded.
How does decryption work?
The stored value contains the IV and ciphertext. With the encryption key from `config.inc.php` and the encrypted password, the original password can be recovered locally.
Can session-passwords be decoded?
Yes. Session variables can be decrypted if the key and encrypted value are available.
What is the encryption key?
The key is defined in `config.inc.php` (default: `des_key`) and is used for encrypting and decrypting stored credentials.
Is this password recovery safe?
Yes. All decryption happens locally. No data is uploaded to any server.
