Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: e-mail address mining tool?

from [Tomasz Nidecki] Network Security [Permanent Link]
Subject: Re: e-mail address mining tool?
Date: Wed, 9 Nov 2005 12:30:30 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Tuesday, November 8, 2005, 6:27:28 PM, Hugo wrote:


I agree whit every thing u said Tomas, but from the point off view
off a penetration testing it would be a very nice way to get what
users are valid on that domain. assuming that the only service
available is external mail for the users, witch is the case I'm
working right know.


Understandable. Well, then I guess your best choice is to make a
dictionary or brute force attack on the mail server, attempting to
send mail to either dictionary-based addresses or all possible
addresses [ouch], giving a specific MAIL FROM, where you'd be
receiving bounces from inexistant accounts, and you can even parse
them automatically with some kind of a script.

The best strategy I guess would be to send mail with empty contents,
no headers. This will be treated by most users as "something strange
that they've received but they have no idea why and how". However,
this is noisy, since if you hit an admin account, the admin will be
able to see your IP address and your return address in headers. And,
unfortunately, an open proxy will not help much here, since in order
for this test to be succesful, you must receive responses, and unless
you use an 0wn3d box for that, someone can always easily track you 8].

The worst thing that could happen is that the target domain has a
default-account strategy and all your mail will end up on one account,
probably an admin or management account. Then it will look like a
mailbomb and if your pentest is to be silent, not noisy, this is not a
good idea at all. The way you can test this is sending an empty mail
to some completely bogus address like: qwertyuiop@domain.com and see
whether it bounces. If it doesn't bounce, you're probably dealing with
a default-account strategy and there is no way you can use SMTP to
check for existing accounts. If it bounces, it's definitely not using
a default-account strategy so you can proceed with your pentest 8]


Now comes the question, if i develop such tool, and the spamers get
the hands on it i will kill my self :), i don't want no more
sper..... pills mails or... well i think u know what i mean.


Hrhr, not to worry. Spammers have used that strategy for a long time.
Haven't you ever received some mail that has no typical headers, no
body, just Received:, Return-Path:, Delivered-To: etc.? Well, I have
and the only reason to explain such mails is that spammers are testing
the validity of the e-mail address. If it bounces, the account is
invalid. If it doesn't, mail will end up somewhere [even with the
default-account strategy], so the spammer is happy. So don't worry,
you won't be reinventing a wheel 8].

The biggest problem with such a tool, I guess, would be parsing of the
return data, since bounces are in as many formats as there are
mailservers out there and you'd need to use regexps for different
types of mailservers in order to automatically parse the bounces.

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine            http://www.hakin9.org
mailto:tonid@hakin9.org      jid:tonid@tonid.net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ3Hd1kR7PdagQ735AQFihAQAjXEwLLp/ULPl3pSfQxv5CU2+MgmQ/fGa
mR3Rp35/tKn27rI0lyPPOLNsVPiN/vCP0Ujp3Y5/jGYUtzGcCsS51x3ltpeLBj2L
2PZr+v9KqJmEfd4l8HkvDy4bSXIO204qAlZoPhJT9CkKxK/kKWBRO0u7yuI6OmxB
6B0HlUYB5bw=
=jHgI
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: sugget a small pentest distro, Kurt Seifried
Next by Date:  Question on iisstart.asp, sec nerd
Previous by Thread:  Re: e-mail address mining tool?, Hugo Vinicius Garcia Razera
Next by Thread:  Re: e-mail address mining tool?, James Eaton-Lee
Indexes:  [Date] [Thread] [Top] [All Lists]