Re: Several Domains

[Todd Haverkos <infosec () haverkos com>]

"Ahmed Zaki" <ahmedmzaki () gmail com> writes:

> Thanks for your reply . 
>
> Apparently its my fault I should have made my question clearer. 
>
> Your target is Company X . The ip of the mail server turned to be
> xxx.xxx.xxx.xxx and that when used to do a reverse DNS lookup gave
> mail.companyx.com , mail.companyx-fs.com, mail.companyx.com.fs ,
> mail.companyxfs.com . As a pentester how would you go about identifying the
> actual domain name that is being used internally . 

One trick is that you can often gather some info by sending a mail to
the domain using an invalid To: address and scrutinizing the headers
in the bounce that often comes back.  Rinse and repeat for each
possible domain. 

If they have a web site that generates outbound mail in any fashion
(confirmations to a request for contact for example), then
scrutinizing Received headers from that mail can sometimes yield
internal server names.

You can't account for all possible uses of alias FQDN's internally, of
course, but then there's also the question of "what's the use of
divining the one true canonical name, anyway?"  After all, the IP is
really where the rubber meets the road in terms of attempting to
compromise the mail server.

That said, however the alias domain names are usually useful for
giving hints on which domains may be valid for delivery on that
server.

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------