On Wed, 2005-11-09 at 12:30 +0100, Tomasz Nidecki wrote:
The best strategy I guess would be to send mail with empty contents,
no headers. This will be treated by most users as "something strange
that they've received but they have no idea why and how". However,
this is noisy, since if you hit an admin account, the admin will be
able to see your IP address and your return address in headers. And,
unfortunately, an open proxy will not help much here, since in order
for this test to be succesful, you must receive responses, and unless
you use an 0wn3d box for that, someone can always easily track you 8].
This may be entering into a grey zone depending upon your remit and
sense of personal standards here, but if you're legitimately employed to
pentest a company's network, you shouldn't have any problems (legally)
actually sending e-mail which looks like spam - people will, as you
point out, treat an empty e-mail as 'something strange', but a
well-crafted spam e-mail will be given far less thought-space, and
probably immediately binned, even by a network administrator or security
person.
You may run into problems in the event that the company actually has
proper spam filtering, but (in my experience), it isn't too hard to get
around this.
The worst thing that could happen is that the target domain has a
default-account strategy and all your mail will end up on one account,
probably an admin or management account.
The 'spam' account enumeration strategy also works quite well simply
because in the event that this is setup (or the admin reviews his
bounces from time to time), they'll fall under the radar-of-suspicion
too.
It is also worth considering that companies will not necessarily assign
employees e-mail addresses matching their usernames - there is, in fact,
quite a strong argument to be made for assigning people usernames
exclusively for authentication and making their e-mail address entirely
different. A company might, for instance, give Joe Bloggs the username
Bloggs01J, and make his e-mail address Joe.Bloggs@example.org - and
simply don't setup a mailbox or alias for Bloggs01J@example.org (or,
only accept mail to Bloggs01J internally, and only setup the Joe.Bloggs
address for your external mail domain).
- James.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
