Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions

[Fred Mobach <fred () MOBACH NL>]

"Loschiavo, Dave" wrote:

> How's this for an attack scenario...
>
> Since the firewall is not blocking any outbound traffic (bad move) I would
> make an effort to acquire the email addresses of internal users. That
> shouldn't be too hard to do if they do business with anyone. Once I had that
> I would send HTML email to those addresses and try to exploit this 'feature'
> of Windows: http://www.oamk.fi/~jukkao/bugtraq/0003/0171.html. I would then
> crack the passwords for the accounts that viewed the email and try to logon
> to listening services using those accounts and passwords.
>
> Assumptions:
> 1. I am able to find a valid email address.
> 2. HTML mail is not cleaned before it reaches the user.
> 3. The email client does HTML mail.
> 4. The email client is residing on a MS OS.
> 5. The users who read the email have authenticated to an NT domain.
> 6. The users who read the email have the ability to log on to the listening
> services I am trying to access via open firewall ports.

Three out of five of my customers are prone to this attack ;-).
One is not prone because he does not use NT, the company is occupied with
health insurance.
Another one is save because his firewalls are configured in a better way, it's
a financial company.
The other were already warned and are not interested in security-related
mailinglists.

Regards,

Fred Mobach