You are on page 1of 76

om

l.c

1@

gm

ai

CODENAME: Samurai Skills


Course

br

y6

89

Module 2: Real World Information Intelligence


Techniques
Ninja-Sec.com

om

Conducting Open Source Intelligence Gathering

l.c

Goal: Become familiar with your customer through their


online presence to aid in later phases of the penetration test.

1@

gm

ai

Target discovery
Possible additional attack vectors
System enumeration and vulnerability discovery (without ever
having to touch the customer network)

89

Small snippets of data throughout the internet can be


combined to reveal useful information

br

y6

Leveraged in the later stages of an engagement.

113

om

Conducting Open Source Intelligence Gathering

gm

ai

l.c

For Red Team assessments, this process could last weeks or


months.
When conducting assessments in a limited timeframe, you
dont have that luxury. You need to focus on:

89

1@

A limited set of tools that can provide digestible information


quickly.
A limited set of analysis techniques that have the potential to
provide high quality information.

y6

Note: In many cases these activities wont even be conducted


because the scope of the assessment doesnt warrant it.

br

Assessments against single systems, major applications, etc


114

om

Conducting Intelligence Gathering

y6

89

1@

gm

ai

Search Engines
Company Websites
Archive.org
Public Corporate Information (if applicable)
Newsgroups/Listservs
Job Listings
Technical Support Forums
Financial and Business Articles
Blogs
Social Media

br

l.c

Sources for analysis can include:

115

om

Conducting Intelligence Gathering

gm

y6

89

1@

Subordinate, senior and lateral organizations


The extent of the public online presence
Physical locations of customer facilities
Corporate Gatherings
Significant Company Dates
Organizational Information
Org Charts
Positional Hierarchy and Descriptions

br

ai

l.c

The objectives of the assessment should drive the scope of


these activities.
What you are looking for:

116

om

Company Websites

l.c

Company websites will usually reveal the mission, current


news, and points of contact surrounding the company.

gm

ai

Make sure to look at sites other than the main site


Just looking at company websites can often tell you a lot about
backend infrastructures, etc

br

y6

89

Epsilon Breach
May be less secure

1@

Useful for determining partners or potential trust


relationships.

117

om

Company Websites

ai

l.c

Useful for generating a dictionary-based password wordlist for


your favorite password cracker.
May be crucial to determine engagement activities.

1@

gm

Social Engineering
Web Assessment

Locally mirroring the customer website can make analysis


faster and easier.

br

y6

89

Added benefit of interacting with customer network less


frequently.

118

br

om

y6

89

1@

gm

HTTrack is a super simple tool that is


probably the most comprehensive

ai

Locally copying company websites can


be easily accomplished with several
tools, including wget and HTTrack

l.c

Locally Copying Company Websites

119

om

Newsgroups and Listservs

y6

89

Questions about IT environments


Security issues and concerns
Inside points of contact
Employee morale
Previous employment/experience

br

1@

gm

ai

l.c

Newsgroups and listservs are usually communities that gather


online for a specific purpose.
Composed of people from all walks of life, including many
organizations.
A quick search does not take very long and can provide a
goldmine of information, such as:

120

om

Email ListServs

y6

89

Pauldotcom Mailing List


Bugtraq
NoVAHackers
SANS Advisory Board
Infragard
Seclists has many more

br

1@

gm

ai

l.c

A collection of members that contribute to discussion on


security topics via email threads.
Usually revolves around security research or issues that may
not be well documented online.
Example listservs are:

121

om

Online Job Listings

l.c

Job Description Many organization will put vendor names


and technologies in job descriptions

gm

ai

This information will augment the discovery phase of the


engagement

1@

Frequency The turnover of employees will usually be an


indication of the management style, working conditions,
security funding, or political environment.

89

Frequency is not conclusive findings for all of the above, however,


it may be worth exploring in a scoping call.

br

y6

Salary Range/Position Titles/Points of Contact Can assist


with mapping the organizational structure of the customer
122

om

Resumes

ai

l.c

Can be a gold mine of information


Information about the target as well as the environment:

br

y6

89

1@

gm

Address Geo-locating purposes


Contact Information Data can be leveraged to find more
sensitive information
Certifications Potential connections to professional
organizations
Affiliations Connects target to organizations, both past and
present
Technologies per Environment Determine what security
technologies are in place
Organizational Initiatives What technologies may only be half
implemented

123

om

Technical Support Forums

y6

89

Code Snippets
Technologies
Device Configurations
Company Data
Password Protected Documents

br

1@

gm

ai

l.c

IT personnel may post information online in an attempt to


solve a problem.
The information posted may be generic at first, but people
tend to post more information if they do not get an answer
that solves their issue.
Information found on technical support forums can include:

124

om

Financial and Business Articles

gm

ai

l.c

Financial strength and company mission can be an indication


of IT spending priority.
Acquisitions usually indicate that different IT environments
may have been merged.

1@

Often not perfectly implemented


Rule exceptions added

89

Regulatory compliance will require specific device and


architecture configurations.

br

y6

Audit findings and grades will give an insight as to how well


regulations are followed.
125

om

Blogs

br

y6

89

1@

gm

ai

l.c

Blogs usually contain ideas and stories specifically written


about a current thought, event, or research being conducted.
Employee blogs may contain information about current
projects within the target company.
Disgruntled employees will often post more information or
look for new jobs, divulging their experiences within previous
roles.
Company-sponsored blogs usually specialize in the company
mission and are authored by senior people within the
organization.
126

Social Media

om

Social Media can be used to identify individuals associated with the


customer and their interests.

ai

l.c

Can be used target individuals for social engineering and spear


phishing campaigns.

gm

Social Media sites all serve different purposes and have different
interactions. Three popular sites and can be used to gather various
types of information.

1@

Facebook Posts tend be current events or situations.


May include location data. (Facebook Places)

89

Twitter More of a stream of consciousness application. The pulse


of an employee.

y6

May include location data. (Foursquare or similar)

br

LinkedIn Job related information which may contain technical


experience and work on various projects.

127

om

Online Email Access and Email Spools

l.c

Email spools can often lead to a wealth of information.


Email information could include:

gm

ai

Competitive Intelligence
Company Financials
Potential Attack Vectors

89

1@

With the proliferation of online email, there is the potential to be


able to gain access to an employees
Beyond information gathering, a penetration tester can use access
to employee email spools to show impact of penetration.

br

y6

HBGary, Infragard and Sony are illustrations of how dangerous an


email compromise can be.

The tedious work of email analysis is more of a Red Teaming


function

128

om

Tools That Aid and Automate Online Discovery & Analysis

ai

l.c

theHarvester - Script designed for gathering e-mail accounts,


user names and hostnames/subdomains from different public
sources

gm

theharvester.py -d microsoft.com -l 500 -b google - Attempt to


discover 500 Microsoft email addresses through Google

1@

Cewl (Custom Word List Generator) Creates a wordlist by


spidering a customers website

br

y6

89

Can be used to aid in password cracking

129

om

Tools That Aid and Automate Online Discovery & Analysis

ai

l.c

Cree.py Downloads all pictures on Flickr or Twitter account,


parses the EXIF data and maps it onto a Google Maps
application. Useful for tracking users

gm

Note: Facebook strips EXIF data of pictures that are posted

1@

Maltego - Designed to automate many information gathering


tasks and transform one type of information into another

br

y6

89

For instance, find phone numbers associated with an address


There is a free version, but basically unusable for any real
assessment.

130

om

Google Search Strategies

ai

It can also be fantastically easy and quick to use.

l.c

Google search strategies has become somewhat of an art form and can
be very powerful in extracting information on customers.

1@

gm

Targeted information can be derived by adding definition and operators


to the search bar
Some operators that play a major role in providing definition to your
search:
site:www.example.com Constrains a search specifically to the site listed
link:www.example.com Searches for sites linking to the site listed

89

Useful for identifying possible trust relationships.

intitle:car Searches for specified parameters in the title of the results.

y6

Useful for identifying vulnerable servers, files with sensitive information, or login
pages.

br

inurl:install.php - Searches for specified parameters in the URL of the results.


Useful for finding scripts or certain types of pages

132

om

Google Search Strategies


Google operators (cont.)

l.c

filetype:xls Searches for specific file types, often used in


conjunction with site:

gm

ai

Allows data mining of your target.


Some example file types supported: pdf, ps, dwf, kml, kmz, xls, ppt, doc,
rtf, swf

89

1@

+ and - - Either specifically include normal stop words, or


specifically exclude a word in searches
<phrase> - When searching, only show results with the specific
phrase
Many more - Refer to references for extensive guides

y6

Organizations may have a custom Google Search Appliance on their


network.

br

A Google Search Appliance is a custom server that is placed within an


organizations that will index and crawl all available data points within
an internal network.
Web Server analysis helps to identify if the appliance is present
Usually a treasure trove of information.

133

br

y6

89

1@

gm

ai

l.c

om

Google Advanced Search

134

br

y6

89

1@

gm

ai

l.c

om

Google Site Operator

135

br

y6

89

1@

gm

ai

l.c

om

Google Link Operator

136

om

Google Search Assistance Tools

ai

l.c

Google Hacking Database is useful for coming up with search


parameters associated with sensitive information or
vulnerabilities.

br

y6

89

1@

gm

For a while, the GHDB was discontinued, however, it is now being


maintained by the folks who run exploit-db.com
http://www.exploit-db.com/google-dorks/
Provides examples of search terms that can be modified specific
to your client.
Sorted by categories including: Vulnerable Sites, Online Devices,
Log Detection, Directories, Username files, Files with Sensitive
Information, and others.
137

om

Google Search Assistance Tools

l.c

Searching through all the GHDB can be tedious


Wikto can help automate Google searched

gm

ai

Wikto includes much more functionality that just search assistance,


including mirroring, fingerprinting, vulnerability identification and
more

br

y6

89

1@

Sitedigger is another tool strictly focused on Google scanning


Goolag was another tool to automate GHDB searches, but
appears offline now
SearchDiggity another tool to automate GHDB and BHDB searches

138

br

y6

89

1@

gm

ai

l.c

om

GHDB Search Example

139

br

y6

89

1@

gm

ai

l.c

om

SearchDiggity Screenshot

140

om

Some Other Search Engines

l.c

General Purpose

ai

Bing, Yahoo, Ask

gm

Jobs
Foreign Search Engines

1@

Careerbuilder, Monster, Indeed, LinkedIn

People Searches

89

Baidu - China, Yandex - Russia, Guruji - India

Real Estate

y6

Pipl, 123People, Whitepages, Spokeo, Zoominfo

br

Zillow, Trulia, Hotpads, Fixber


141

Information to Target

l.c

om

Data collection is key to this phase. Remember, the attacker will


leverage all information that can be found to penetration a network
environment.
Data points to look for:

br

y6

89

1@

gm

ai

Credentials Usernames or passwords may be stored in an


accessible fashion.
Email Addresses Will determine email address structure. Useful to
enumerate users as well as pull of a more successful social
engineering attempt.
Files May contain sensitive data or metadata.
Geographic Information May help determine weak points in
security posture.
Financials Helps to determine spending ability, may yield insight
into IT spending.
Users Social networking sites will often let an attacker enumerate a
user base without even being in the network.
Technologies Resumes will often bleed information about IT
technologies of an organization.

142

om

File Analysis

l.c

Files on customer websites sometimes have information that


can be used in further phases of the assessment.

gm

ai

Instructions for accessing systems


Procedures, training, human resources information

y6

89

Author and Modifier Usernames


File Paths
Software Versions
Printer Details
Email Addresses
Comments

br

1@

File metadata can often have interesting information, such as:

143

om

File Analysis

ai

l.c

Any downloaded files should be analyzed for metadata


leakage
Two tools can make this process easy:

gm

FOCA - Reads file metadata for a wide range of formats

1@

Tool has much more functionality including conducting custom


searches, fingerprinting servers and more
Can analyze files without needing to download them

br

y6

89

Metagoofil - Another tool that extracts metadata from files on a


customer website

144

Right-click in box
to add a local file

br

y6

89

1@

gm

ai

l.c

om

Analyzing File Metadata with FOCA

145

br

y6

89

1@

gm

ai

l.c

om

Analyzing File Metadata with FOCA

Right-click in box
again to extract
metadata

146

om

Example Intel Gathering Methodology

l.c

Search Engine Discovery

gm

ai

Attempt to find all customer websites


Attempt to find affiliated sites
Use GHDB searches to attempt to find sensitive information and
potential vulnerabilities

1@

Company Websites

y6

89

Conduct a cursory review of all discovered websites for


information that can be used in later stages of the assessment
Mirror discovered (and interesting) customer websites

br

Provides for offline analysis and less interaction with customer


network
Review HTML source code for comments

148

3rdParty websites

l.c

om

Example Intel Gathering Methodology

Files and file metadata

1@

gm

ai

Search social media for information and usernames/email


addresses that could aid in a spear phishing campaign
Search newsgroups, forums and email lists for information
leakage and information that can be used in later stages of the
assessment

br

y6

89

Search files on customer websites for sensitive information


Analyze the metadata on all files identified for usernames, email
addresses, file paths, etc
149

om
l.c

1@

gm

ai

CODENAME: Samurai Skills


Course

br

y6

89

External Network Footprinting


Ninja-sec.com

om

External Network Footprinting

br

y6

89

1@

gm

ai

l.c

Used to determine the extent of the customers Internet


reachable network presence through the use of online and
offline tools.
Often also called Network Discovery.
There are several methods to use to fully discover a
customers network presence.

151

om

Footprinting Methodology

l.c

Gather IP addresses of all publically identifiable client hosts

ai

Using open source research.

gm

Tracerouting

1@

Used to gather information on networks and network paths


associated with customer hosts (ISPs, hosting providers, etc)

Conduct lookups for registration (whois) records

br

y6

89

Additional information can be located in registration records that


should be fed into further open source research.

152

om

Footprinting Methodology

1@

gm

ai

l.c

Conduct Border Gateway Protocol Autonomous System


Number (BGP ASN) record lookups.
Forward and reverse DNS lookups on all discovered domains
and network ranges.
Repeat steps until all associated hosts and network ranges
have been identified.

89

Compile a list of all domain names, network ranges and ASNs


associated with the customer.

br

y6

If attempting to be stealthy, conduct all the above activities


using online tools only.
153

om

Gathering IP Addresses

br

y6

89

1@

gm

ai

l.c

One example using Centralops.net

154

br

y6

89

1@

gm

ai

l.c

om

Tracerouting

Firewalled
network

ISP?

157

br

y6

89

1@

gm

ai

l.c

om

Registration Records

Associated
network range

?
Organization
name and
address
158

om

Registration Records

ai

l.c

Information that can be further used for information gathering .

br

y6

89

1@

gm

Name,
Email address and
Phone Number

159

om

Next Steps

br

y6

89

1@

gm

ai

l.c

Conduct reverse DNS lookups against all discovered network


ranges to identify additional hosts and domains associated
with customer.
Conduct open source research against newly identified
information.
Make sure to document all findings for later use.

168

om
l.c

1@

gm

ai

CODENAME: Samurai Skills


Course

br

y6

89

DNS Enumeration
Ninja-Sec.com

om

Domain Name Service (DNS)

gm

ai

l.c

Association of network human readable names to IP


addresses, or the reverse.
Hierarchal system of servers used to retrieve the IP address of
any (correctly formatted) host name on the Internet.

1@

A number of security issues have been identified with its


implementation.

Uses UDP port 53.

89

TCP port 53 is used for large transfers (greater than 512 bytes).

y6

A fairly complex topic that can be somewhat difficult to


understand.

br

This topic will focus on the areas that are important for
penetration testers

170

Important DNS Terms for Pen Testers

om

Name Server / Domain Host - Servers that run the DNS services for
an organization.

ai

l.c

Provides answers to queries for hosts within the domain or zone.


Conducts queries on external name servers on behalf of hosts in the
domain.

br

y6

89

1@

gm

DNS Resolver - A client that initiates a lookup request to a DNS


server (i.e. your host)
Authoritative Name Server - A DNS server that provides answers to
name queries for hosts within its zone
Recursive Name Server - A DNS server that performs all queries
necessary on behalf of a DNS resolver
Caching Name Server - A resolving DNS server that caches all
responses it has received to speed up subsequent lookups. Many
security problems have resulted.
Zone Transfer - Used to replicate records between DNS servers
within a zone. Can sometimes be abused by outside attackers to
acquire all the records for a zone.

171

1@

89

y6

br

om

l.c

ai

gm

DNS Diagram

172

om

DNS Transaction

br

y6

89

1@

gm

ai

l.c

1. Source host requests IP address of


destination hostname from local
DNS server. (www.example.com)
2. Local DNS server requests
authoritative DNS server for
destination domain.
(example.com)
3. Local DNS server requests IP
address of destination host from
authoritative DNS server. (X.X.X.X)
4. Local DNS server returns IP
address of destination host to
source host.
5. Source host connects to
destination host.

173

om

Important DNS Record TYPES for Pen Testers

1@

gm

ai

l.c

DNS records match a host name to an IP address and also


often identify the function of the device. There are quite a few
record types, but a few should be readily identifiable by pen
testers.
A record - Also known as a host record. Links a host name to
an IP address
AAAA record - Returns a IPv6 address

br

y6

89

NS record - Authoritative name server for the zone.


CNAME record - Alias to another name. The DNS lookup will
try the new name.
MX record - Mail server for the zone. Often multiple MX
records exist for a zone, with a weight given to identify
primary and secondary servers. Lower number = higher
priority.

174

om

Important DNS Record TYPES for Pen Testers

br

y6

89

1@

gm

ai

l.c

HINFO record - Optional information about the host.


SOA record - Provides information about the zone. Such as
primary name server, administrator email, etc
PTR record - Links an IP address to a host name. Used in
reverse DNS lookups.
TXT record - Used to provide optional information about the
zone. Sometimes used to prevent email spam (although SPF
records should be used instead)
SRV record - Generalized record for services provided in the
zone. A host queries the zone for a specific service and is
given a server address to connect to. Used by Active Directory
for example.

175

l.c

gm

ai

SPAM protection

om

DNS Lookup Example

1@

Other netblocks

br

y6

89

c
176

om

DNS Zone Transfers (AXFR)

l.c

Usually used for replicating records from one server in the


zone to another.

ai

Can be abused by an outsider to gather network information.

1@

gm

Zone transfers use TCP port 53.


Often primary DNS servers will not allow zone transfers.
Backup DNS servers often are prone to misconfigurations.

89

Make sure you check every DNS server in the network.

y6

You should always remember to pipe the output of zone


transfers to a file.

br

The output of a zone transfer can get very large.


177

om

DNS Tools (Queries, Zone Transfers, etc)

l.c

Compile a list of all reachable DNS servers for the network /


zone.

gm

ai

All servers listed in NS records.


Port scan all network ranges for UDP and TCP port 53.

1@

*nix host command.

br

y6

89

With the -l option Can be used to quickly check servers listed in


NS records for zone transfers
Ex: host -l

178

om

DNS tools (Queries, Zone Transfers, etc)

l.c

*nix dig command

any returns administrative information about domain / zone


mx returns mail servers for the domain / zone
axfr attempts a zone transfer for the zone specified
etc

y6

89

1@

dig @ 67.192.47.244 <DNS zone> <type>


@<nameserver> specifies the name server to use.
<DNS zone> specifies the zone to query against (i.e. google.com)
<type> specifies the type of record to query for

br

gm

ai

Allows for a bit more granularity when querying DNS records than
the host command
Example dig command:

179

br

y6

89

1@

gm

ai

l.c

om

Zone Transfer With Dig

180

l.c

nslookup command (Windows and *nix)

om

DNS tools (Queries, Zone Transfers, etc)

1@

gm

ai

Command for conducting DNS queries, and zone transfers on


Windows (can be used on *nix, but there are better commands
available)
Can either be used all on the command line, or in interactive
mode
Interactive mode will return more details

89

Example nslookup command:

br

y6

nslookup type=any <DNS zone> <server>

181

om

Forward and Reverse DNS Grinding

br

y6

89

1@

gm

ai

l.c

Forward DNS Grinding: Attempting to discover additional


hostnames within a domain / zone through the use of custom
wordlists to do lookups.
Reverse DNS Grinding: Attempting to discover hostnames
from a given set of IP network ranges through reverse DNS
lookups against every IP.
Several tools exist to conduct DNS enumeration, forward and
reverse grinding, although probably the best known is Fierce.
For a number of other tools, look in the Backtrack tool suite
under DNS Analysis.
183

l.c

Fierce Domain Scan

om

Forward and Reverse DNS Grinding

gm

ai

Provides a large number of customization and performance


options
To conduct forward DNS grinding using a wordlist:
fierce.pl dns <domain> -wordlist <wordlist file> -file <output file>

1@

<domain> - the domain / zone you want to scan


<wordlist> - the file to use for forward DNS grinding

89

To conduct reverse DNS grinding:


fierce.pl range <network range> -dnsserver <server>

br

y6

<network range> - the IP range to scan. use in the form 172.16.0-255.0255

184

om

DNS Man in the Middle Attacks

1@

Known as a race condition.

gm

ai

l.c

DNS MITM (Spoofing) Attack: Listening for DNS requests to


specific sites an supplying the attackers address before the
distant end can respond.
A DNS resolver will record the first response received, allowing
a local attacker to beat the distant end in the response.

br

y6

89

Generally used in conjunction with ARP Poisoning (covered


later), removing even the need for race conditions.

185

om

DNS Man in the Middle Attacks

gm

ai

Spoof the distant end server (generally a web server)


ARP Poison the target host
Perform DNS spoofing for the distant end server
Perform nefarious action against target (generally credential
stealing)

1@

l.c

General Methodology:

br

y6

89

NOTE: While maybe useful in penetration testing depending on


the activity, not generally an activity that would be performed
when pen testing in a limited timeframe.

186

om

DNS Cache Poisoning

gm

ai

l.c

Replacing the correct address of a external hosts name (either


the authoritative name server or a single host) with an
attackers address in the stored cache of a DNS caching server.
This attack targets:

1@

Flaws inherent in the DNS protocol.


Implementations of many DNS servers.

br

y6

89

Can be extremely difficult for an end-user to detect they are


being attacked.
Note: Again, while a fairly dangerous attack, would be very
difficult to replicate during a time limited penetration test.
187

om

DNSSEC

ai

l.c

DNSEC (Secure DNS): Extensions to the DNS protocol that


provide for cryptographically signing DNS responses for origin
authentication.

br

y6

89

1@

gm

Designed to prevent DNS MITM attacks and cache poisoning


attacks
Not currently widely deployed, so of fairly little significance to
penetration testers.

188

om

Domain Name Service- References


DNS Guides & Tutorials

89

1@

gm

ai

l.c

Debian Guide: http://www.debianhelp.co.uk/dnsrecords.htm


Long Wikipedia Article:
http://en.wikipedia.org/wiki/Domain_Name_System
Google Basic Guide to DNS:
http://www.google.com/support/a/bin/answer.py?answer=48090#G
Zone Transfer Explanation:
http://en.wikipedia.org/wiki/DNS_zone_transfer
SPF Explanation:
http://en.wikipedia.org/wiki/Sender_Policy_Framework

br

y6

DNS Record Type:


http://en.wikipedia.org/wiki/List_of_DNS_record_types
Using nslookup, dig and host:
http://docsrv.sco.com/NET_tcpip/dnsC.nslook.html
Using nslookup in Windows:
http://support.microsoft.com/kb/200525

604

om

Domain Name Service- References


DNS MITM Attacks:

gm

ai

l.c

Cain & Facebook example:


http://vishnuvalentino.com/computer/hacking-facebook-using-manin-the-middle-attack/
Using Backtrack: http://dumb-answer.blogspot.com/2011/02/howto-dns-spoofing-with-backtrack.html

Central Ops: http://centralops.net/co/


Network Tools: http://network-tools.com/
DNSStuff (concise responses): http://www.dnsstuff.com/
Fierce: http://ha.ckers.org/fierce/

br

y6

89

1@

DNS Cache Poisoning:


http://en.wikipedia.org/wiki/DNS_cache_poisoning
DNSSEC Explanation:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Exte
nsions
Tools (online / offline)
605

om
l.c

1@

gm

ai

CODENAME: Samurai Skills


Course

br

y6

89

Mail Server Enumeration


Ninja-sec.com

om

Interacting With Mail Servers During a Penetration Test

l.c

Generally a penetration tester may interact with a customers mail


servers in three different ways:

1@

gm

ai

Attempting to identify valid user names and email addresses through


brute force enumeration (i.e. wordlists, etc)
Sending spear-phishing emails into the customer organization through
the mail servers
Less often, Interacting with client facing aspects of the server (OWA,
POP3, IMAP, etc) through either direct login after harvesting
credentials, or possibly attempting to brute force passwords

br

y6

89

Like many aspects conducting time limited pen tests, while there are
potentially many activities that could be used to assess a customers
mail services, the tester will need to pair down activities to what is
manageable.
One effective technique may be to discover email addresses through
open source research, then verify them against the mail server and
enumerate further users

190

om

Enumerating Email Addresses through the Mail Server

l.c

Three primary SMTP methods are used to enumerate users on


a server:

br

y6

89

1@

gm

ai

EXPN Command: Used to expand information for a given email


address. Often used to expand a mailing list. Probably the least
reliable method as it is not supported in Microsoft Exchange
VRFY Command: Used to verify that a mailbox is available for
delivery. As the potential for abuse is obvious, this command is
often turned off by default.
RCPT TO: Command: Identifies a message recipient. A much more
reliable method to use to enumerate users as it is difficult to
disable this functionality (it is the basis for identifying the
recipient of a message).

Online, manual and automated tools can all be used to


enumerate users

191

om

Command Line Enumeration of Users

br

y6

89

1@

gm

ai

l.c

Mail servers may be enumerated on the command line using


Telnet or NetCat. For large scale enumeration, this would not
be very effective.

192

Online Enumeration of Users

br

y6

89

1@

gm

ai

l.c

om

Individual email accounts can be enumerated online, providing


a measure of stealth. However, this would again not be very
effective on a large scale

Successful validation

193

om

Enumeration of Users Using Automated Tools

br

y6

89

1@

gm

ai

l.c

smtp-user-enum.pl Perl script included in the backtrack suite

195

l.c

Nmap NSE script smtp-enum-users.nse

om

Enumeration of Users Using Automated Tools

gm

ai

Usage nmap --script smtp-enum-users.nse <script-args> <host>


Uses the userdb from Nmap, so custom dictionaries would need
to be added to the default users file (no way to specify a specific
file)

1@

Users file is located in {Nmap directory}/nselib/data/usernames.lst

y6

89

Use --script-args smtp-enum-users.domain=<example.com> to


append domain names to email addresses (if not defined in the
wordlist)
Full example command:

br

nmap --script smtp-enum-users.nse --script-args smtp-enum- users.domain=vglab.com


<IP Address>
196

br

y6

89

1@

gm

ai

l.c

om

Using Nmap SMTP User Enumeration Script

197

om

Dealing with Email Filtration Systems

1@

gm

Sender Policy Framework (SPF) policies


Domain Keys
Spamtraps
Rate limiting
Many, many others

89

ai

l.c

When sending spear-phishing emails, either as the initial stage a


penetration or just to collect statistics, there are a number of email
filtration systems that could block your attempts, including:

br

y6

In general, a penetration test conducted in a limited timeframe does


not have the ability to attempt to evade Spam filtering mechanisms.
Better to document the protections and work with the customer to
work around them (possibly send emails from internal systems,
etc) for the test

198

om

Brute Forcing Client Mail Services

l.c

Client mail services allow a local mail client to access a users


mailbox. Three primary types of client mail services include:

ai

Post Office Protocol (POP) 3

gm

While not related to bruteforcing, it should be noted the POP3


communicates in cleartext

1@

Internet Message Access Protocol (IMAP)


Proprietary protocols - Such as Microsoft Outlook and IBM Notes

y6

89

Both POP3 and IMAP can be vulnerable to network password


cracking (covered later)

br

However, this is a (relatively) slow operation and not something


likely to be performed in a resource limited penetration test
200