Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Pentesting Openmail Web login
From: "Clemens, Dan" <Dan.Clemens () healthsouth com>
Date: Thu, 24 May 2007 09:01:05 -0500

What it sounds like your asking is something that  will automatically
give you results against this type of target in the form of a tool and
or a basic formula.

To answer your first question:

I am task with testing user accounts on our mail system. 

The use of SMTP command may help you - expn or vrfy will help you in
enumerating accounts. 
Looking at google for email accounts from the domain may help also.
Is pop3 or any other type of _mail_service available from the external
world?

We currently have two systems Exchange, 

Since they are running exchange what about ms07-026 vulns or older
exchange vulns?

and OpenMail for Linux which is on the DMZ.

What about getting a copy of openmail and looking at how it works?
What other services are running?


We are interested in finding out how easy it might be for someone to
guess the password of one or our users account.

It would be fairly easy if there isn't a password policy enforced on the
system and one user has a simple password.
Have you tried mining google for email addresses and then using vrfy
against the mail server or sending email to the email address to see if
it bounces(so you can validate what account you would like to brute
force)?

I guess your request really sounds like a request to just get a formula
for a blackbox / common pentest type endeavor which a response could
follow many basic threads of how to start doing some type of recon
against the target.

What have you tried and what is your attack strategy so far?

I haven't checked what nasl scripts would aid in openmail, but I think
nessus would be your basic shotgun approach, but could lead you down the
incorrect path.

If you have any idea of how openmail works you could bruteforce
directories or something you know about that may be tied to some type of
response that clues you into the fact that an account is available or
not available.

If you try to login to openmail do you get differing responses depending
if a password simply failed for a user, or if the username and password
was incorrect? Does anything in the response or webpage(if there is one
I don't even know) give you any clues in seeing if you are attempting to
login as a user that exists versus one that does not exist>?)


Daniel Clemens
Senior Security Engineer
HEALTHSOUTH Information Security
205.968.6335 



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of s-williams () nyc rr com
Sent: Wednesday, May 23, 2007 8:27 PM
To: listbounce () securityfocus com; pen-test () securityfocus com
Subject: Re: Pentesting Openmail Web login

Anyone have a good tool in mine?
------Original Message------
To: listbounce () securityfocus com
To: pen-test () securityfocus com
Sent: May 23, 2007 12:01 PM
Subject: Pentesting Openmail Web login

I am task with testing user accounts on our mail system. We currently
have two systems Exchange, and OpenMail for Linux which is on the DMZ.
We are interested in finding out how easy it might be for someone to
guess the password of one or our users account.

And if the are sucessful what can the do on the linux box, with that
username and password.

We have a main site with a link to the webmail system from there, ifi
want to test this which tool might be the best for doing this since its
a link and not the main page?

Thanks in advance

"A wise man ask questions, a fool is afraid of knowledge"  

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with our 20/20
program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]