Penetration Testing mailing list archives
Re: [PEN-TEST] examining exchange mail
From: Francois Pepin <fpepin () PO-BOX MCGILL CA>
Date: Wed, 6 Dec 2000 17:15:57 -0500
I think that the question is about something else here. Is it possible when you have access to the Exchange server to read the mail of an individual user. In Unix the answer is simple, root is root is God as far as the computer is concerned. In Exchange, it's not that simple. I've only played with with Exchange 2000, but I've never found a way to access it like that. The administrator does not have the right to view the messages in someone else's mailbox. You cannot change the permissions directly on those folders (on the M: drive). I tried to do that out of curiosity only and didn't go all that far in trying to do it. I don't remember if the "run as" needs the user'S password or not when you're admin (I think it does). And the M: is only a mirror of the real data, that is stored elsewhere which might be more vulnerable permission-wise if you know how to extract it. So it's trivial, but I don't know if it can be done or not. Of course, I never tried Exchange 5.5. Is this what the question is about? Francois -----Message d'origine----- De : Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]De la part de Robert van der Meulen Envoye : 6 decembre, 2000 13:07 A : PEN-TEST () SECURITYFOCUS COM Objet : Re: [PEN-TEST] examining exchange mail Hi, Quoting Andrew Thomas (blink () EYE2EYE NET):
I have domain admin on a network, and I want to know how I would go about viewing mail *stored* on the Exchange Server, if this is possible. What little research I have done, has not turned up much, so if anyone
could
help, it would be much appreciated.
AFAIK it shouldn't be so hard to either move the mail to a new account, or write some win32 program that uses the NT api's to open the mailbox files/databases. Altering the rights of the target user should be possible too, i guess. I'm a non-m$, unix-person only, so my experience with Exchange is limited. I did work with M$ api's for some time, and found them quite complete. What this has to do with pen-testing, i don't get ;) Also keep in mind that reading any users' email (unless it's your own) can offer a nice legal problem, even in a pen-test scope (not mentioning ethics). Greets, Robert -- | rvdm () cistron nl - Cistron Internet Services - www.cistron.nl | | php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security | | My statements are mine, and not necessarily cistron's. | Never trust a child farther than you can throw it.
Current thread:
- [PEN-TEST] examining exchange mail Andrew Thomas (Dec 07)
- Re: [PEN-TEST] examining exchange mail Ryan Russell (Dec 07)
- Re: [PEN-TEST] examining exchange mail Work, Clinton (Dec 07)
- Re: [PEN-TEST] examining exchange mail Phonix (Dec 10)
- Re: [PEN-TEST] examining exchange mail Deus, Attonbitus (Dec 10)
- Re: [PEN-TEST] examining exchange mail Conor Crowley (Dec 10)
- Re: [PEN-TEST] examining exchange mail Robert van der Meulen (Dec 07)
- Re: [PEN-TEST] examining exchange mail Francois Pepin (Dec 07)
- Re: [PEN-TEST] examining exchange mail Patrick Aland (Dec 07)
- Re: [PEN-TEST] examining exchange mail Laura Nuñez (Dec 07)
- <Possible follow-ups>
- Re: [PEN-TEST] examining exchange mail Jeff Oliver (Dec 07)
- Re: [PEN-TEST] examining exchange mail Marty Richards (Dec 07)
- Re: [PEN-TEST] examining exchange mail Mark Armitage (Dec 07)
- Re: [PEN-TEST] examining exchange mail Andrew Thomas (Dec 10)
- Re: [PEN-TEST] examining exchange mail Charlie Roberts (Dec 10)
- Re: [PEN-TEST] examining exchange mail Ryan Russell (Dec 07)