Penetration Testing mailing list archives
Re: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz
From: Joseph McCray <joe () learnsecurityonline com>
Date: Mon, 18 Dec 2006 09:57:30 -0500
Thiago, there is a great bit of info in the MX Injection paper has been discussed in other places around the web and even implemented in a few tools, but I don't think Marcelo was trying to say that EVERYTHING in the entire paper was new and discovered by him alone. I used his paper in a class I was teaching last week. I thought it was relevant to showing how penetration testing is moving away from service exploitation to web app, database and client side exploitation and it drives home the point of webmail being a valid means into mail servers you not otherwise have access to. Hint hint Marcelo - add some Outlook Web Access content into this paper and it would be awesome! :) Also, SMTP injection was only part of what was discussed in his paper (requiring a valid account if I recall). I really liked the paper because it covered IMAP injection, and some nice little IMAP enumeration commands. Gave me some ideas for things I'd like to try in my next audit. All in all I thought it was pretty good. -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access On Sun, 2006-12-17 at 00:25 -0200, Thiago Zaninotti wrote:
Hi Marcelo, Part of this technique is not new and has been part of N-Stalker Web Application Security Scanner for a long time (SMTP Injection). There are also papers that would go further on exploiting specific frameworks such as CDONTS. For more information, see N-Stalker Free Edition tool at www.nstalker.com/free-edition Best regards,
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz robert (Dec 11)
- RES: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Marcelo Leão Caffaro (Dec 16)
- Re: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Thiago Zaninotti (Dec 16)
- Re: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Joseph McCray (Dec 19)
- Re: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Thiago Zaninotti (Dec 16)
- RE: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Eyal Udassin (Dec 16)
- RES: WASC-Announcement: MX Injection - Capturing and Exploiting Hidden Mail Servers By Vicente Aguilera Diaz Marcelo Leão Caffaro (Dec 16)