Penetration Testing mailing list archives
RE: Pentesting Openmail Web login
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 25 May 2007 12:43:15 +0200 (ora solare Europa occidentale)
On Thu, 24 May 2007, Clemens, Dan wrote:
The use of SMTP command may help you - expn or vrfy will help you in enumerating accounts.
As a side note, i've seen quite a lot of SMTP servers (Sendmail, Postfix, Exchange, etc.) configured to leak valid users with the RCPT TO command too, e.g.:
raptor@pandora:~$ telnet mail 25 Trying x.x.x.x... Connected to mail. Escape character is '^]'. 220 mail ESTMP none helo foo 250 mail mail from:<test () test com> 250 Ok rcpt to:<root> 250 Ok rcpt to:<noexistant>550 <noexistant>: Recipient address rejected: User unknown in local recipient table
Sometimes, such as in this example, system users are leaked; sometimes only email addresses can be recovered. In some situations, the latter may be considered "a feature, not a bug" (tm), as for instance it helps to keep a lower resource usage on servers heavily targeted by spam. YMMV.
My brutus.pl tool implements this information leak attack, together with the classic VRFY/EXPN (it always amazes me how these are still active on some default configurations!):
http://www.0xdeadbeef.info/code/brutus.pl Cheers, -- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Pentesting Openmail Web login s-williams (May 23)
- Re: Pentesting Openmail Web login Rodrigo Montoro (Sp0oKeR) (May 25)
- <Possible follow-ups>
- Re: Pentesting Openmail Web login s-williams (May 23)
- Re: Pentesting Openmail Web login Brent Wolfram (May 23)
- Re: Pentesting Openmail Web login Tremaine Lea (May 23)
- Re: Pentesting Openmail Web login sherwyn . williams (May 24)
- RE: Pentesting Openmail Web login Clemens, Dan (May 24)
- RE: Pentesting Openmail Web login Marco Ivaldi (May 25)
- Re: Pentesting Openmail Web login Bojan Zdrnja (May 25)
- Re: Pentesting Openmail Web login pagvac (May 29)
- Re: Pentesting Openmail Web login rajat swarup (May 30)