RE: POP3 passwords

[Dave Killion <Dkillion () netscreen com>]

Well, the biggest trick would be to be in the return path of the spoofed IP.
And if you are, there's no need to spoof it, just sniff.

Francisco mentions ARP spoofing, which is what I was mentioning earlier.
The problem for both methods above - ARP or IP spoofing, is one of routing.
Just because you inject a packet into the network with a spoofed header does
not mean you'll see any returned traffic.  ISP's on the Internet have their
route tables to follow (sometimes even asymmetrically = client and server
can take different routes), and any packets sent back to your spoofed IP
will really go to your spoofed IP, and not you.

The only way to own this from ARP spoofing is to be on the same layer 2
segment as either end.  For that, either ARP spoofing or cam table stuffing
(mentioned previously) is the way to go.

And like Francisco mentions, if the protocol has strong encryption, an
attacker doesn't have much.

-Dave

This e-mail reflects the personal opinion of the author.
 -- Unless explicitly so stated in the text, it does not represent an
    official position of NetScreen Technologies, Inc.


This email contains material that is confidential.  The content of this
email is for the sole use of the intended recipient(s).  Any review or
distribution by persons other than the intended recipient(s) without the
express permission of NetScreen Technologies, Inc. is strictly prohibited.
If you are not the intended recipient, please contact the sender and
delete/destroy all copies of this email and any related attachments.
NetScreen does not guarantee the accuracy or completeness of third party
materials or information.



> -----Original Message-----
> From: Steve McLaughlin [mailto:steve () Lan com au]
> Sent: Monday, October 20, 2003 5:50 PM
> To: 'Dave Killion'; security-basics () securityfocus com
> Subject: RE: POP3 passwords
>
>
> Would it be possible to spoof the IP of the POP3 server to 
> the mail client
> over the internet from a dummy mail server, using say, 
> Packit, and then,
> sniff the packets hitting the LAN card?
>
> -----Original Message-----
> From: Dave Killion [mailto:Dkillion () netscreen com] 
> Sent: Tuesday, 21 October 2003 4:50 AM
> To: 'Zachary Mutrux'; Security-Basics
> Subject: RE: POP3 passwords
>
> Zac,
>
> Well, you're right - people don't think much about POP3 
> passwords, but they
> should.
>
> POP3/S is a solution, but not many people support it or know 
> how to use it.
> The people who do know typically are the ones who check their 
> email via SSH
> and mutt anyway.
>
> The biggest trick to exploiting POP3 (indeed, any clear-text auth'd
> protocol) is to get in the data stream.  If you control a gateway the
> traffic goes through, or on the same layer-2 hub, you're set. 
>  Otherwise,
> some MAC-address tomfoolery is in order - either to stuff a 
> cam table (spoof
> thousands of MAC addresses so the switch 'breaks open' to 
> forward-all mode -
> think 'macof'[1]) on a switch, if you're on the same switched layer-2
> segment, or to spoof the gateway IP with your MAC address to
> man-in-the-middle the gateway (think 'arpspoof'[2]).
>
> Once it's left the local network and gone on to the big I, 
> it's harder to
> get at, unless you can again control a segment of network the 
> data stream
> goes through.  People who work at ISP's shouldn't have a 
> problem doing this,
> but generally they're paid to be trustworthy with this sort of thing.
> Unauthorized network snooping at an ISP is a good way to get fired and
> blacklisted.
>
> But really, why leave it to chance?  Encrypt your connections 
> with SSL or
> SSH.  POP3 accounts sometimes also have shell accounts, and the
> username/password's the same.
>
> My $0.02...
>
> Dave Killion
> Senior Security Engineer
> Security Group, NetScreen Technologies, Inc.
>
> Footnotes:
>
> [1] and [2] - Both are tools in the dsniff tool suite by Dug Song:
> http://www.monkey.org/~dugsong/dsniff/
>
> This e-mail reflects the personal opinion of the author.
>  -- Unless explicitly so stated in the text, it does not represent an
>     official position of NetScreen Technologies, Inc.
>
>
> This email contains material that is confidential.  The 
> content of this
> email is for the sole use of the intended recipient(s).  Any review or
> distribution by persons other than the intended recipient(s) 
> without the
> express permission of NetScreen Technologies, Inc. is 
> strictly prohibited.
> If you are not the intended recipient, please contact the sender and
> delete/destroy all copies of this email and any related attachments.
> NetScreen does not guarantee the accuracy or completeness of 
> third party
> materials or information.
>
>
>
> > -----Original Message-----
> > From: Zachary Mutrux [mailto:zmutrux () compumentor org]
> > Sent: Friday, October 17, 2003 4:40 PM
> > To: Security-Basics
> > Subject: POP3 passwords
> >
> >
> > Why has it not been a bigger problem that POP3 passwords are 
> > unencrypted
> > when sent over the public Internet? Seems like they would be 
> > pretty easy for
> > a miscreant to steal.
> >
> > zm
> >
> > --
> > Zac Mutrux
> > Technology Consultant
> > CompuMentor
> > 415-633-9437
> >
> >
> >
> > --------------------------------------------------------------
> > -------------
> > FREE Whitepaper: Better Management for Network Security
> >
> > Looking for a better way to manage your IP security?
> > Learn how Solsoft can help you:
> > - Ensure robust IP security through policy-based management
> > - Make firewall, VPN, and NAT rules interoperable across 
> heterogeneous
> > networks
> > - Quickly respond to network events from a central console
> >
> > Download our FREE whitepaper at:
> > http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
> > --------------------------------------------------------------
> > --------------
>
> --------------------------------------------------------------
> -------------
> FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management
> - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
> --------------------------------------------------------------
> --------------
>
>
>
>
> --------------------------------------------------------------
> -------------
> FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management
> - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that 
makes the complex - easy
www.clearsightnet.com/jmp6-downloadtrial.jsp
----------------------------------------------------------------------------