Penetration Testing mailing list archives
Re: Discovering users by RCPT TO
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Thu, 13 Jan 2005 15:26:33 -0300 (ART)
Hello! This is not new. There are many programs that execute smtp command RCPT TO to get valid counts: http://packetstormsecurity.org/UNIX/misc/rcpt-analisys.tgz http://cdm.frontthescene.com.br/ferramentas/torque-v0.3.tar.gz In some servers, you have to edit previous commands "HELO/EHLO/MAIL FROM" to have sucess. Best Regards, Martin Fallon. --- GuidoZ <uberguidoz () gmail com> escreveu:
[snip]Testing for Open Relay, I realized that the serveranswers different toexisting users and non-existing users, when tryingto deliver mails usingRCPT TO:Interesting. It wouldn't be hard to make a Perl script (or other) that logs into the SMTP server, then runs through a list of predefined users to test and see if they have an account. I would call it information disclosure for sure. As for how to fix it, I don't know that you can. It's part of the protocol to answer to RCPT TO. What version of Sendmail? In the more recent versions, you can alter the text that is displayed there... maybe change it all to something like "I'll try that address" for both. -- Peace. ~G On Wed, 12 Jan 2005 20:42:04 +0000, Andres Molinetti <andymolinetti () hotmail com> wrote:I'm currently over a pen-test and I have foundthat their SMTP Server(SendMail) does not have VRFY or EXPN methodsavailable, which was the mostprobably thing to happen taking into account theserver has been throughsome hardening before. Testing for Open Relay, I realized that the serveranswers different toexisting users and non-existing users, when tryingto deliver mails usingRCPT TO: E.g: rcpt to: asdfasdf@domain 550 5.1.1 asdfasdf@domain... User unknown rcpt to: bin@domain 250 2.1.5 bin@domain... Recipient ok rcpt to: nobody@domain 250 2.1.5 nobody@domain... Recipient ok rcpt to: oper@domain 550 5.1.1 oper@domain... User unknown rcpt to: root@domain 250 2.1.5 root@domain... Recipient ok Is this ok or is it information disclousure? Isthere any way to fix it? Itis Sendmail... Thanks in advance, Andres Molinetti CISSP
_________________________________________________________________
Acepta el reto MSN Premium: Protección para tushijos en internet.Descárgalo y pruébalo 2 meses gratis.
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil
=====
Sem caminhos pra seguir, na incerteza de chegar,
quem decide por partir, soh pensa em procurar,
um futuro com alguem, nao importa o que passou,
jah nem se lembra mais, quer eh recomecar!
(Quimera - Extinta Banda Zero)
__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger
http://br.download.yahoo.com/messenger/
Current thread:
- Discovering users by RCPT TO Andres Molinetti (Jan 12)
- Re: Discovering users by RCPT TO GuidoZ (Jan 13)
- Re: Discovering users by RCPT TO Martin Fallon (Jan 13)
- Re: Discovering users by RCPT TO Kiril Todorov (Jan 13)
- Re: Discovering users by RCPT TO Chris Buechler (Jan 13)
- Re: Discovering users by RCPT TO Jay D. Dyson (Jan 14)
- Re: Discovering users by RCPT TO Vince Hoang (Jan 14)
- Re: Discovering users by RCPT TO dmz (Jan 14)
- Re: Discovering users by RCPT TO Matan Peled (Jan 15)
- Re: Discovering users by RCPT TO Faisal Khan (Jan 15)
- Re: Discovering users by RCPT TO Chris Buechler (Jan 13)
- Re: Discovering users by RCPT TO GuidoZ (Jan 13)
- <Possible follow-ups>
- RE: Discovering users by RCPT TO Bassett, Mark (Jan 15)
- Re: Discovering users by RCPT TO Baltasar Cevc (Jan 17)
- Re: Discovering users by RCPT TO Tobias Glemser (Jan 20)
- Re: Discovering users by RCPT TO Baltasar Cevc (Jan 17)