Security Basics mailing list archives
RE: POP3 passwords
From: Dave Killion <Dkillion () netscreen com>
Date: Tue, 21 Oct 2003 15:32:33 -0700
Well, the biggest trick would be to be in the return path of the spoofed IP. And if you are, there's no need to spoof it, just sniff. Francisco mentions ARP spoofing, which is what I was mentioning earlier. The problem for both methods above - ARP or IP spoofing, is one of routing. Just because you inject a packet into the network with a spoofed header does not mean you'll see any returned traffic. ISP's on the Internet have their route tables to follow (sometimes even asymmetrically = client and server can take different routes), and any packets sent back to your spoofed IP will really go to your spoofed IP, and not you. The only way to own this from ARP spoofing is to be on the same layer 2 segment as either end. For that, either ARP spoofing or cam table stuffing (mentioned previously) is the way to go. And like Francisco mentions, if the protocol has strong encryption, an attacker doesn't have much. -Dave This e-mail reflects the personal opinion of the author. -- Unless explicitly so stated in the text, it does not represent an official position of NetScreen Technologies, Inc. This email contains material that is confidential. The content of this email is for the sole use of the intended recipient(s). Any review or distribution by persons other than the intended recipient(s) without the express permission of NetScreen Technologies, Inc. is strictly prohibited. If you are not the intended recipient, please contact the sender and delete/destroy all copies of this email and any related attachments. NetScreen does not guarantee the accuracy or completeness of third party materials or information.
-----Original Message----- From: Steve McLaughlin [mailto:steve () Lan com au] Sent: Monday, October 20, 2003 5:50 PM To: 'Dave Killion'; security-basics () securityfocus com Subject: RE: POP3 passwords Would it be possible to spoof the IP of the POP3 server to the mail client over the internet from a dummy mail server, using say, Packit, and then, sniff the packets hitting the LAN card? -----Original Message----- From: Dave Killion [mailto:Dkillion () netscreen com] Sent: Tuesday, 21 October 2003 4:50 AM To: 'Zachary Mutrux'; Security-Basics Subject: RE: POP3 passwords Zac, Well, you're right - people don't think much about POP3 passwords, but they should. POP3/S is a solution, but not many people support it or know how to use it. The people who do know typically are the ones who check their email via SSH and mutt anyway. The biggest trick to exploiting POP3 (indeed, any clear-text auth'd protocol) is to get in the data stream. If you control a gateway the traffic goes through, or on the same layer-2 hub, you're set. Otherwise, some MAC-address tomfoolery is in order - either to stuff a cam table (spoof thousands of MAC addresses so the switch 'breaks open' to forward-all mode - think 'macof'[1]) on a switch, if you're on the same switched layer-2 segment, or to spoof the gateway IP with your MAC address to man-in-the-middle the gateway (think 'arpspoof'[2]). Once it's left the local network and gone on to the big I, it's harder to get at, unless you can again control a segment of network the data stream goes through. People who work at ISP's shouldn't have a problem doing this, but generally they're paid to be trustworthy with this sort of thing. Unauthorized network snooping at an ISP is a good way to get fired and blacklisted. But really, why leave it to chance? Encrypt your connections with SSL or SSH. POP3 accounts sometimes also have shell accounts, and the username/password's the same. My $0.02... Dave Killion Senior Security Engineer Security Group, NetScreen Technologies, Inc. Footnotes: [1] and [2] - Both are tools in the dsniff tool suite by Dug Song: http://www.monkey.org/~dugsong/dsniff/ This e-mail reflects the personal opinion of the author. -- Unless explicitly so stated in the text, it does not represent an official position of NetScreen Technologies, Inc. This email contains material that is confidential. The content of this email is for the sole use of the intended recipient(s). Any review or distribution by persons other than the intended recipient(s) without the express permission of NetScreen Technologies, Inc. is strictly prohibited. If you are not the intended recipient, please contact the sender and delete/destroy all copies of this email and any related attachments. NetScreen does not guarantee the accuracy or completeness of third party materials or information.-----Original Message----- From: Zachary Mutrux [mailto:zmutrux () compumentor org] Sent: Friday, October 17, 2003 4:40 PM To: Security-Basics Subject: POP3 passwords Why has it not been a bigger problem that POP3 passwords are unencrypted when sent over the public Internet? Seems like they would be pretty easy for a miscreant to steal. zm -- Zac Mutrux Technology Consultant CompuMentor 415-633-9437 -------------------------------------------------------------- ------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable acrossheterogeneousnetworks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 -------------------------------------------------------------- ---------------------------------------------------------------------------- ------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 -------------------------------------------------------------- -------------- -------------------------------------------------------------- ------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy www.clearsightnet.com/jmp6-downloadtrial.jsp ----------------------------------------------------------------------------
Current thread:
- Re: POP3 passwords, (continued)
- Re: POP3 passwords Hendra Santosa (Oct 21)
- RE: POP3 passwords Dave Killion (Oct 20)
- Re: POP3 passwords Meritt James (Oct 20)
- RE: POP3 passwords Steve McLaughlin (Oct 21)
- Re: POP3 passwords Francisco Andrades (Oct 21)
- Re: POP3 passwords Simon Garner (Oct 21)
- RE: POP3 passwords Golden_Eternity (Oct 22)
- RE: POP3 passwords Chris Merkel (Oct 20)
- RE: POP3 passwords Keller, Tim (Oct 20)
- Re: FW: POP3 passwords Sec1 (Oct 20)
- RE: POP3 passwords Dave Killion (Oct 21)
- Re: POP3 passwords Phillip McCollum (Oct 22)