Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Several Domains
From: Todd Haverkos <infosec () haverkos com>
Date: Fri, 12 Dec 2008 03:07:30 -0600

"Ahmed Zaki" <ahmedmzaki () gmail com> writes:

Thanks for your reply . 

Apparently its my fault I should have made my question clearer. 

Your target is Company X . The ip of the mail server turned to be
xxx.xxx.xxx.xxx and that when used to do a reverse DNS lookup gave
mail.companyx.com , mail.companyx-fs.com, mail.companyx.com.fs ,
mail.companyxfs.com . As a pentester how would you go about identifying the
actual domain name that is being used internally . 

One trick is that you can often gather some info by sending a mail to
the domain using an invalid To: address and scrutinizing the headers
in the bounce that often comes back.  Rinse and repeat for each
possible domain. 

If they have a web site that generates outbound mail in any fashion
(confirmations to a request for contact for example), then
scrutinizing Received headers from that mail can sometimes yield
internal server names.

You can't account for all possible uses of alias FQDN's internally, of
course, but then there's also the question of "what's the use of
divining the one true canonical name, anyway?"  After all, the IP is
really where the rubber meets the road in terms of attempting to
compromise the mail server.

That said, however the alias domain names are usually useful for
giving hints on which domains may be valid for delivery on that

Best Regards, 
Todd Haverkos, LPT MsCompE

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]