RE: Pen-testing/auditing MS Exchange Servers.

One thing to check for is that the proper encryption and authentication
methods are in place.

For example: NTLM hashes are easy to break, and there is a flaw with the
RPC over HTTP proxy feature that makes it so you have to use either
Basic (plain text) or NTLM (not NTLMv2) authentication. If they did not
set up the proxy to use HTTPS you can sniff the hashes and use rainbow
tables to extract a password.

Check to make sure they have the right authentication methods for their
OWA site as well (not plain text, ssl is enabled). One weird thing about
the OWA site is that you can guess passwords forever, without locking
out the associated account. I havent tried to brute force a password via
OWA, but if you can find a way to automate...,  well that would be an
issue with MS and not with your client I guess. :-)

The above wont break a thing, the below might:

Also, try the metasploit framework's exploits for exchange server, this
will verify their patch status at least.


hth

-JP

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------