Re: [PEN-TEST] examining exchange mail

[Francois Pepin <fpepin () PO-BOX MCGILL CA>]

I think that the question is about something else here. Is it possible when
you have access to the Exchange server to read the mail of an individual
user.

In Unix the answer is simple, root is root is God as far as the computer is
concerned. In Exchange, it's not that simple.

I've only played with with Exchange 2000, but I've never found a way to
access it like that. The administrator does not have the right to view the
messages in someone else's mailbox. You cannot change the permissions
directly on those folders (on the M: drive). I tried to do that out of
curiosity only and didn't go all that far in trying to do it. I don't
remember if the "run as" needs the user'S password or not when you're admin
(I think it does). And the M: is only a mirror of the real data, that is
stored elsewhere which might be more vulnerable permission-wise if you know
how to extract it. So it's trivial, but I don't know if it can be done or
not. Of course, I never tried Exchange 5.5.

Is this what the question is about?

Francois

-----Message d'origine-----
De : Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]De la part
de Robert van der Meulen
Envoye : 6 decembre, 2000 13:07
A : PEN-TEST () SECURITYFOCUS COM
Objet : Re: [PEN-TEST] examining exchange mail


Hi,

Quoting Andrew Thomas (blink () EYE2EYE NET):
> I have domain admin on a network, and I want to know how I would go about
> viewing mail *stored* on the Exchange Server, if this is possible.
>
> What little research I have done, has not turned up much, so if anyone
could
> help, it would be much appreciated.
AFAIK it shouldn't be so hard to either move the mail to a new account, or
write some win32 program that uses the NT api's to open the mailbox
files/databases. Altering the rights of the target user should be possible
too, i guess. I'm a non-m$, unix-person only, so my experience with Exchange
is limited. I did work with M$ api's for some time, and found them quite
complete.

What this has to do with pen-testing, i don't get ;) Also keep in mind that
reading any users' email (unless it's your own) can offer a nice legal
problem, even in a pen-test scope (not mentioning ethics).

Greets,
        Robert

--
|      rvdm () cistron nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |
             Never trust a child farther than you can throw it.