Bugtraq mailing list archives

RE: Remote SMTP authentication audit tool?

From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Fri, 4 Jun 2004 12:46:51 +1200

-----Original Message-----
From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] 
Sent: Friday, 4 June 2004 3:24 a.m.
To: Byron Pezan
Cc: bugtraq () securityfocus com
Subject: RE: Remote SMTP authentication audit tool?

If you want to test your server like a spammer via actual 
SMTP authentication
brute forcing, there are several scripts out there like Brutus.pl:

http://www.0xdeadbeef.info/

(most the spammer scripts have short dictionary lists that 
contain your usual
admin\admin, backup\null, backup\backup, etc.)


That is just remote login brute force, which relies on VRFY, so it won't
work with any "hardened" MTA.
It doesn't brute force SMTP AUTH.

I'm not aware of any application that does SMTP AUTH brute force, I thought
Hydra would do it but nah.
It isn't too difficult to create one though, just check some MTAs code.

Cheers,

Bojan Zdrnja
CISSP

Current thread:

Remote SMTP authentication audit tool? Byron Pezan (Jun 02)
- <Possible follow-ups>
- RE: Remote SMTP authentication audit tool? Evans, Arian (Jun 03)
  - RE: Remote SMTP authentication audit tool? Bojan Zdrnja (Jun 04)