Penetration Testing mailing list archives
Re: e-mail address mining tool?
From: Tomasz Nidecki <tonid () hakin9 org>
Date: Wed, 9 Nov 2005 12:30:30 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Tuesday, November 8, 2005, 6:27:28 PM, Hugo wrote:
I agree whit every thing u said Tomas, but from the point off view off a penetration testing it would be a very nice way to get what users are valid on that domain. assuming that the only service available is external mail for the users, witch is the case I'm working right know.
Understandable. Well, then I guess your best choice is to make a dictionary or brute force attack on the mail server, attempting to send mail to either dictionary-based addresses or all possible addresses [ouch], giving a specific MAIL FROM, where you'd be receiving bounces from inexistant accounts, and you can even parse them automatically with some kind of a script. The best strategy I guess would be to send mail with empty contents, no headers. This will be treated by most users as "something strange that they've received but they have no idea why and how". However, this is noisy, since if you hit an admin account, the admin will be able to see your IP address and your return address in headers. And, unfortunately, an open proxy will not help much here, since in order for this test to be succesful, you must receive responses, and unless you use an 0wn3d box for that, someone can always easily track you 8]. The worst thing that could happen is that the target domain has a default-account strategy and all your mail will end up on one account, probably an admin or management account. Then it will look like a mailbomb and if your pentest is to be silent, not noisy, this is not a good idea at all. The way you can test this is sending an empty mail to some completely bogus address like: qwertyuiop () domain com and see whether it bounces. If it doesn't bounce, you're probably dealing with a default-account strategy and there is no way you can use SMTP to check for existing accounts. If it bounces, it's definitely not using a default-account strategy so you can proceed with your pentest 8]
Now comes the question, if i develop such tool, and the spamers get the hands on it i will kill my self :), i don't want no more sper..... pills mails or... well i think u know what i mean.
Hrhr, not to worry. Spammers have used that strategy for a long time. Haven't you ever received some mail that has no typical headers, no body, just Received:, Return-Path:, Delivered-To: etc.? Well, I have and the only reason to explain such mails is that spammers are testing the validity of the e-mail address. If it bounces, the account is invalid. If it doesn't, mail will end up somewhere [even with the default-account strategy], so the spammer is happy. So don't worry, you won't be reinventing a wheel 8]. The biggest problem with such a tool, I guess, would be parsing of the return data, since bounces are in as many formats as there are mailservers out there and you'd need to use regexps for different types of mailservers in order to automatically parse the bounces. - -- Tomasz Nidecki, Sekr. Redakcji / Managing Editor hakin9 magazine http://www.hakin9.org mailto:tonid () hakin9 org jid:tonid () tonid net Do you know what "hacker" means? http://www.catb.org/~esr/faqs/hacker-howto.html Czy wiesz, co znaczy slowo "haker"? http://www.jtz.org.pl/Inne/hacker-howto-pl.html -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUAQ3Hd1kR7PdagQ735AQFihAQAjXEwLLp/ULPl3pSfQxv5CU2+MgmQ/fGa mR3Rp35/tKn27rI0lyPPOLNsVPiN/vCP0Ujp3Y5/jGYUtzGcCsS51x3ltpeLBj2L 2PZr+v9KqJmEfd4l8HkvDy4bSXIO204qAlZoPhJT9CkKxK/kKWBRO0u7yuI6OmxB 6B0HlUYB5bw= =jHgI -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- e-mail address mining tool? Hugo Vinicius Garcia Razera (Nov 05)
- RE: e-mail address mining tool? Eyal Udassin (Nov 06)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 07)
- Re: e-mail address mining tool? Justin (Nov 08)
- Message not available
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 09)
- Re: e-mail address mining tool? Diarmaid McManus (Nov 10)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 07)
- RE: e-mail address mining tool? Eyal Udassin (Nov 06)
- Re: e-mail address mining tool? Hugo Vinicius Garcia Razera (Nov 08)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 09)
- Re: e-mail address mining tool? James Eaton-Lee (Nov 10)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 10)
- <Possible follow-ups>
- Re: e-mail address mining tool? Marco Ivaldi (Nov 13)