Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Pentesting Openmail Web login

From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 25 May 2007 12:43:15 +0200 (ora solare Europa occidentale)
On Thu, 24 May 2007, Clemens, Dan wrote:
The use of SMTP command may help you - expn or vrfy will help you in enumerating accounts.
As a side note, i've seen quite a lot of SMTP servers (Sendmail, Postfix, Exchange, etc.) configured to leak valid users with the RCPT TO command too, e.g.: 

raptor@pandora:~$ telnet mail 25
Trying x.x.x.x...
Connected to mail.
Escape character is '^]'.
220 mail ESTMP none
helo foo
250 mail
mail from:<test () test com>
250 Ok
rcpt to:<root>
250 Ok
rcpt to:<noexistant>
550 <noexistant>: Recipient address rejected: User unknown in local recipient table
Sometimes, such as in this example, system users are leaked; sometimes only email addresses can be recovered. In some situations, the latter may be considered "a feature, not a bug" (tm), as for instance it helps to keep a lower resource usage on servers heavily targeted by spam. YMMV.
My brutus.pl tool implements this information leak attack, together with the classic VRFY/EXPN (it always amazes me how these are still active on some default configurations!): 

http://www.0xdeadbeef.info/code/brutus.pl

Cheers,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: