Penetration Testing mailing list archives
Re: e-mail address mining tool?
From: James Eaton-Lee <james.mailing () gmail com>
Date: Thu, 10 Nov 2005 11:26:48 +0000
On Wed, 2005-11-09 at 12:30 +0100, Tomasz Nidecki wrote:
The best strategy I guess would be to send mail with empty contents, no headers. This will be treated by most users as "something strange that they've received but they have no idea why and how". However, this is noisy, since if you hit an admin account, the admin will be able to see your IP address and your return address in headers. And, unfortunately, an open proxy will not help much here, since in order for this test to be succesful, you must receive responses, and unless you use an 0wn3d box for that, someone can always easily track you 8].
This may be entering into a grey zone depending upon your remit and sense of personal standards here, but if you're legitimately employed to pentest a company's network, you shouldn't have any problems (legally) actually sending e-mail which looks like spam - people will, as you point out, treat an empty e-mail as 'something strange', but a well-crafted spam e-mail will be given far less thought-space, and probably immediately binned, even by a network administrator or security person. You may run into problems in the event that the company actually has proper spam filtering, but (in my experience), it isn't too hard to get around this.
The worst thing that could happen is that the target domain has a default-account strategy and all your mail will end up on one account, probably an admin or management account.
The 'spam' account enumeration strategy also works quite well simply because in the event that this is setup (or the admin reviews his bounces from time to time), they'll fall under the radar-of-suspicion too. It is also worth considering that companies will not necessarily assign employees e-mail addresses matching their usernames - there is, in fact, quite a strong argument to be made for assigning people usernames exclusively for authentication and making their e-mail address entirely different. A company might, for instance, give Joe Bloggs the username Bloggs01J, and make his e-mail address Joe.Bloggs () example org - and simply don't setup a mailbox or alias for Bloggs01J () example org (or, only accept mail to Bloggs01J internally, and only setup the Joe.Bloggs address for your external mail domain). - James. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- e-mail address mining tool? Hugo Vinicius Garcia Razera (Nov 05)
- RE: e-mail address mining tool? Eyal Udassin (Nov 06)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 07)
- Re: e-mail address mining tool? Justin (Nov 08)
- Message not available
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 09)
- Re: e-mail address mining tool? Diarmaid McManus (Nov 10)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 07)
- RE: e-mail address mining tool? Eyal Udassin (Nov 06)
- Re: e-mail address mining tool? Hugo Vinicius Garcia Razera (Nov 08)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 09)
- Re: e-mail address mining tool? James Eaton-Lee (Nov 10)
- Re: e-mail address mining tool? Tomasz Nidecki (Nov 10)
- <Possible follow-ups>
- Re: e-mail address mining tool? Marco Ivaldi (Nov 13)