Penetration Testing mailing list archives
RE: Pentesting Openmail Web login
From: "Clemens, Dan" <Dan.Clemens () healthsouth com>
Date: Thu, 24 May 2007 09:01:05 -0500
What it sounds like your asking is something that will automatically give you results against this type of target in the form of a tool and or a basic formula. To answer your first question:
I am task with testing user accounts on our mail system.
The use of SMTP command may help you - expn or vrfy will help you in enumerating accounts. Looking at google for email accounts from the domain may help also. Is pop3 or any other type of _mail_service available from the external world?
We currently have two systems Exchange,
Since they are running exchange what about ms07-026 vulns or older exchange vulns?
and OpenMail for Linux which is on the DMZ.
What about getting a copy of openmail and looking at how it works? What other services are running?
We are interested in finding out how easy it might be for someone to
guess the password of one or our users account. It would be fairly easy if there isn't a password policy enforced on the system and one user has a simple password. Have you tried mining google for email addresses and then using vrfy against the mail server or sending email to the email address to see if it bounces(so you can validate what account you would like to brute force)? I guess your request really sounds like a request to just get a formula for a blackbox / common pentest type endeavor which a response could follow many basic threads of how to start doing some type of recon against the target. What have you tried and what is your attack strategy so far? I haven't checked what nasl scripts would aid in openmail, but I think nessus would be your basic shotgun approach, but could lead you down the incorrect path. If you have any idea of how openmail works you could bruteforce directories or something you know about that may be tied to some type of response that clues you into the fact that an account is available or not available. If you try to login to openmail do you get differing responses depending if a password simply failed for a user, or if the username and password was incorrect? Does anything in the response or webpage(if there is one I don't even know) give you any clues in seeing if you are attempting to login as a user that exists versus one that does not exist>?) Daniel Clemens Senior Security Engineer HEALTHSOUTH Information Security 205.968.6335 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of s-williams () nyc rr com Sent: Wednesday, May 23, 2007 8:27 PM To: listbounce () securityfocus com; pen-test () securityfocus com Subject: Re: Pentesting Openmail Web login Anyone have a good tool in mine? ------Original Message------ To: listbounce () securityfocus com To: pen-test () securityfocus com Sent: May 23, 2007 12:01 PM Subject: Pentesting Openmail Web login I am task with testing user accounts on our mail system. We currently have two systems Exchange, and OpenMail for Linux which is on the DMZ. We are interested in finding out how easy it might be for someone to guess the password of one or our users account. And if the are sucessful what can the do on the linux box, with that username and password. We have a main site with a link to the webmail system from there, ifi want to test this which tool might be the best for doing this since its a link and not the main page? Thanks in advance "A wise man ask questions, a fool is afraid of knowledge" ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ----------------------------------------- Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Pentesting Openmail Web login s-williams (May 23)
- Re: Pentesting Openmail Web login Rodrigo Montoro (Sp0oKeR) (May 25)
- <Possible follow-ups>
- Re: Pentesting Openmail Web login s-williams (May 23)
- Re: Pentesting Openmail Web login Brent Wolfram (May 23)
- Re: Pentesting Openmail Web login Tremaine Lea (May 23)
- Re: Pentesting Openmail Web login sherwyn . williams (May 24)
- RE: Pentesting Openmail Web login Clemens, Dan (May 24)
- RE: Pentesting Openmail Web login Marco Ivaldi (May 25)
- Re: Pentesting Openmail Web login Bojan Zdrnja (May 25)
- Re: Pentesting Openmail Web login pagvac (May 29)
- Re: Pentesting Openmail Web login rajat swarup (May 30)