mailing list archives
Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: Fred Mobach <fred () MOBACH NL>
Date: Fri, 29 Sep 2000 22:30:28 +0200
"Loschiavo, Dave" wrote:
How's this for an attack scenario...
Since the firewall is not blocking any outbound traffic (bad move) I would
make an effort to acquire the email addresses of internal users. That
shouldn't be too hard to do if they do business with anyone. Once I had that
I would send HTML email to those addresses and try to exploit this 'feature'
of Windows: http://www.oamk.fi/~jukkao/bugtraq/0003/0171.html. I would then
crack the passwords for the accounts that viewed the email and try to logon
to listening services using those accounts and passwords.
1. I am able to find a valid email address.
2. HTML mail is not cleaned before it reaches the user.
3. The email client does HTML mail.
4. The email client is residing on a MS OS.
5. The users who read the email have authenticated to an NT domain.
6. The users who read the email have the ability to log on to the listening
services I am trying to access via open firewall ports.
Three out of five of my customers are prone to this attack ;-).
One is not prone because he does not use NT, the company is occupied with
Another one is save because his firewalls are configured in a better way, it's
a financial company.
The other were already warned and are not interested in security-related