Using public LDAP directories for attack preparation

From: Per Thorsheim (per@thorsheim.net)
Date: Wed Sep 27 2006 - 14:27:57 EDT

• Next message: Machiavel: "Re: cracking Y2k DC Admin password"
• Previous message: Jerome Athias: "Re: cracking Y2k DC Admin password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've seen a quite a few publicly available LDAP directories on the Internet
containing names, e-mail addresses and other employee information for a
company.

Besides the obvious possibility of harvesting working e-mail addresses for
spam purposes, has anyone successfully used such externally available
directories for doing targeted social engineering attacks as part of a
pentest?

Regards,
Per Thorsheim
CISA, CISM, CISSP

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Machiavel: "Re: cracking Y2k DC Admin password"
• Previous message: Jerome Athias: "Re: cracking Y2k DC Admin password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:02 EDT