ietf-smtp
[Top] [All Lists]

Re: Security problems with SRV records

2011-08-20 06:17:40

On 19.08.2011 14:56, Arnt Gulbrandsen wrote:

On 08/19/2011 02:05 PM, Alessandro Vesely wrote:
As well as they automate client setup, SRV records also automate cracking.

How is that?

Assume I have a bunch of email addresses, some bots, and some spam to send.
I'd run something something like this pseudo-code:

foreach ($email-addr in BUNCH)
{
  $srv = lookup_SRV(domain_part($email-addr));
  if ($srv)
  {
    // assume $email-addr is also the login name (or, possibly, BUNCH was
    // harvested by gathering Authentication-Results for the "auth" method,
    // or equivalent auth info stored in MSAs' Received header fields.)
    $passwd = crack_password($email-addr, $srv, BOTNET);

    // otherwise, try the local part
    if (!$passwd)
    {
      $email-addr = local_part($email-addr);
      $passwd = crack_password($email-addr, $srv, BOTNET);
    }

    // send authenticated mail, if cracked
    if ($passwd)
    {
      $bot = choose_a_client(BOTNET);
      run_exploit($email-addr, $passwd, $srv, $bot, SPAM);
    }
  }
}

That only works if SRV records are widespread.  In most cases it is
straightforward to work out an MSA for a given domain, but it has to be done
manually, using some knowledge and insight.  A fully automated tool can be
run by anyone.

Admittedly, the attacks I've seen thus far (MSA and POP3) are not very
clever, but they seem to be getting better.

Keep in mind that the net is small these days. The bruteforce kiddies sweep
the entire IPv4 internet, and do it quickly. I set up a new public box the
other day, it was swept during its first working day

Yes, that's common.  However, until they are forced to try a few role
accounts, e.g. "Administrator", it is quite easy to avoid being cracked.

Hiding login names is a possible alternative.  For example, Section 8.8 of
4409bis says:

   The MSA MAY rewrite local parts and/or domains in the SMTP envelope,
   and optionally in address fields of the header, according to local
   policy.  For example, a site may prefer to rewrite 'JRU' as
   'J.Random.User' in order to hide login names, and/or to rewrite
   'squeaky.sales.example.net' as 'zyx.example.net' to hide machine
   names and make it easier to move users.

Are such tactics deployed often?

And how about IPv6?

I've heard stories of "rooted in x minutes" for scarily small values of x. 

Yes, by rooting the server it is possible to download a user list that also
includes (possibly encrypted) passwords.  Let's assume that we have some
means to avoid being rooted, at least in theory!

I venture to suggest that at the moment, sweeping the IPv4 net looking for
open TCP ports is easier than sweeping the DNS looking for SRV records.

It is ways more difficult to impersonate real users when you know neither
their userids nor their passwords.  Having a server's IP and some login names
is more helpful for crackers[1], and it is the kind of information that we
are willing to make publicly available.  Are there theoretical
countermeasures that avoid cracking but still allow traditional use of
"human" passwords?

-- 

[1] http://tomicki.net/chimera.php
    remote password cracker for a variety of protocols;
    tool's arguments: server, service, login name, kind of passwords.

<Prev in Thread] Current Thread [Next in Thread>