om

l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
Module 2: Real World Information Intelligence
89
Techniques
y6

Ninja-Sec.com
br
Conducting Open Source Intelligence Gathering

om
Goal: Become familiar with your customer through their

l.c
online presence to aid in later phases of the penetration test.
Target discovery

ai
Possible additional attack vectors

gm
System enumeration and vulnerability discovery (without ever
having to touch the customer network)
1@
Small snippets of data throughout the internet can be
combined to reveal useful information
89

Leveraged in the later stages of an engagement.

y6
br

113
Conducting Open Source Intelligence Gathering

om
For Red Team assessments, this process could last weeks or

l.c
months.
When conducting assessments in a limited timeframe, you

ai
dont have that luxury. You need to focus on:

gm
A limited set of tools that can provide digestible information
quickly.
1@
A limited set of analysis techniques that have the potential to
provide high quality information.
89
Note: In many cases these activities wont even be conducted
y6

because the scope of the assessment doesnt warrant it.

Assessments against single systems, major applications, etc
br

114
Conducting Intelligence Gathering

om
Sources for analysis can include:

l.c
Search Engines

ai
Company Websites
Archive.org

gm
Public Corporate Information (if applicable)
Newsgroups/Listservs


Job Listings 1@
Technical Support Forums
Financial and Business Articles
89
Blogs

y6

Social Media
br

115
Conducting Intelligence Gathering

om
The objectives of the assessment should drive the scope of

l.c
these activities.
What you are looking for:

ai

gm
Subordinate, senior and lateral organizations
The extent of the public online presence
Physical locations of customer facilities
Corporate Gatherings 1@
Significant Company Dates
89
Organizational Information
y6

Org Charts
Positional Hierarchy and Descriptions
br

116
Company Websites

om
Company websites will usually reveal the mission, current

l.c
news, and points of contact surrounding the company.
Make sure to look at sites other than the main site

ai
Just looking at company websites can often tell you a lot about

gm
backend infrastructures, etc
Useful for determining partners or potential trust
relationships. 1@
Epsilon Breach
89
May be less secure
y6
br

117
Company Websites

om
Useful for generating a dictionary-based password wordlist for

l.c
your favorite password cracker.
May be crucial to determine engagement activities.

ai
Social Engineering

gm
Web Assessment

1@
Locally mirroring the customer website can make analysis
faster and easier.
Added benefit of interacting with customer network less
89

frequently.
y6
br

118
Locally Copying Company Websites

om
Locally copying company websites can

l.c
be easily accomplished with several
tools, including wget and HTTrack

ai
HTTrack is a super simple tool that is

gm
probably the most comprehensive

1@
89
y6
br

119
Newsgroups and Listservs

om
Newsgroups and listservs are usually communities that gather

l.c
online for a specific purpose.
Composed of people from all walks of life, including many

ai
organizations.

gm
A quick search does not take very long and can provide a
goldmine of information, such as:

1@
Questions about IT environments
Security issues and concerns
89
Inside points of contact

y6

Employee morale
Previous employment/experience
br

120
Email ListServs

om
A collection of members that contribute to discussion on

l.c
security topics via email threads.
Usually revolves around security research or issues that may

ai
not be well documented online.

gm
Example listservs are:


1@
Pauldotcom Mailing List
Bugtraq
NoVAHackers
89
SANS Advisory Board

y6

Infragard
Seclists has many more
br

121
Online Job Listings

om
Job Description Many organization will put vendor names

l.c
and technologies in job descriptions
This information will augment the discovery phase of the

ai
engagement

gm
Frequency The turnover of employees will usually be an
indication of the management style, working conditions,
1@
security funding, or political environment.
Frequency is not conclusive findings for all of the above, however,
89
it may be worth exploring in a scoping call.
Salary Range/Position Titles/Points of Contact Can assist
y6

with mapping the organizational structure of the customer

br

122
Resumes

om
Can be a gold mine of information

l.c
Information about the target as well as the environment:

ai
Address Geo-locating purposes
Contact Information Data can be leveraged to find more

gm
sensitive information
Certifications Potential connections to professional
organizations 1@
Affiliations Connects target to organizations, both past and
89
present
Technologies per Environment Determine what security
y6

technologies are in place

Organizational Initiatives What technologies may only be half
br

implemented 123
Technical Support Forums

om
IT personnel may post information online in an attempt to

l.c
solve a problem.
The information posted may be generic at first, but people

ai
tend to post more information if they do not get an answer

gm
that solves their issue.
Information found on technical support forums can include:
Code Snippets
1@
Technologies
89
Device Configurations

y6

Company Data
Password Protected Documents
br

124
Financial and Business Articles

om
Financial strength and company mission can be an indication

l.c
of IT spending priority.
Acquisitions usually indicate that different IT environments

ai
may have been merged.

gm
Often not perfectly implemented
Rule exceptions added
1@
Regulatory compliance will require specific device and
architecture configurations.
89

Audit findings and grades will give an insight as to how well

y6

regulations are followed.

br

125
Blogs

om
Blogs usually contain ideas and stories specifically written

l.c
about a current thought, event, or research being conducted.
Employee blogs may contain information about current

ai
projects within the target company.

gm
Disgruntled employees will often post more information or
look for new jobs, divulging their experiences within previous
roles. 1@
Company-sponsored blogs usually specialize in the company
89
mission and are authored by senior people within the
organization.
y6
br

126
Social Media
Social Media can be used to identify individuals associated with the

om
customer and their interests.
Can be used target individuals for social engineering and spear

l.c
phishing campaigns.

ai
Social Media sites all serve different purposes and have different

gm
interactions. Three popular sites and can be used to gather various
types of information.
Facebook Posts tend be current events or situations.
1@
May include location data. (Facebook Places)
Twitter More of a stream of consciousness application. The pulse
89
of an employee.
May include location data. (Foursquare or similar)
y6

LinkedIn Job related information which may contain technical

br

experience and work on various projects. 127

Online Email Access and Email Spools

om
Email spools can often lead to a wealth of information.

l.c
Email information could include:
Competitive Intelligence

ai
Company Financials

gm
Potential Attack Vectors

With the proliferation of online email, there is the potential to be

1@
able to gain access to an employees
Beyond information gathering, a penetration tester can use access
89
to employee email spools to show impact of penetration.
HBGary, Infragard and Sony are illustrations of how dangerous an
y6

email compromise can be.

br

The tedious work of email analysis is more of a Red Teaming

128
function
Tools That Aid and Automate Online Discovery & Analysis

om
theHarvester - Script designed for gathering e-mail accounts,

l.c
user names and hostnames/subdomains from different public
sources

ai
theharvester.py -d microsoft.com -l 500 -b google - Attempt to

gm
discover 500 Microsoft email addresses through Google
Cewl (Custom Word List Generator) Creates a wordlist by
1@
spidering a customers website
Can be used to aid in password cracking
89
y6
br

129
Tools That Aid and Automate Online Discovery & Analysis

om
Cree.py Downloads all pictures on Flickr or Twitter account,

l.c
parses the EXIF data and maps it onto a Google Maps
application. Useful for tracking users

ai
Note: Facebook strips EXIF data of pictures that are posted

gm
Maltego - Designed to automate many information gathering
tasks and transform one type of information into another
1@
For instance, find phone numbers associated with an address
There is a free version, but basically unusable for any real
89
assessment.
y6
br

130
Google Search Strategies

om
Google search strategies has become somewhat of an art form and can

l.c
be very powerful in extracting information on customers.
It can also be fantastically easy and quick to use.

ai
Targeted information can be derived by adding definition and operators

gm
to the search bar
Some operators that play a major role in providing definition to your
search:
1@
site:www.example.com Constrains a search specifically to the site listed
link:www.example.com Searches for sites linking to the site listed
Useful for identifying possible trust relationships.
89
intitle:car Searches for specified parameters in the title of the results.
Useful for identifying vulnerable servers, files with sensitive information, or login
y6

pages.
inurl:install.php - Searches for specified parameters in the URL of the results.
br

Useful for finding scripts or certain types of pages

132
Google Search Strategies

om
Google operators (cont.)
filetype:xls Searches for specific file types, often used in

l.c
conjunction with site:
Allows data mining of your target.

ai
Some example file types supported: pdf, ps, dwf, kml, kmz, xls, ppt, doc,

gm
rtf, swf
+ and - - Either specifically include normal stop words, or
specifically exclude a word in searches
1@
<phrase> - When searching, only show results with the specific
phrase
89
Many more - Refer to references for extensive guides
Organizations may have a custom Google Search Appliance on their
y6

network.
A Google Search Appliance is a custom server that is placed within an
br

organizations that will index and crawl all available data points within
an internal network. 133
Web Server analysis helps to identify if the appliance is present
Usually a treasure trove of information.
Google Advanced Search

om
l.c
ai
gm
1@
89
y6
br

134
Google Site Operator

om
l.c
ai
gm
1@
89
y6
br

135
Google Link Operator

om
l.c
ai
gm
1@
89
y6
br

136
Google Search Assistance Tools

om
Google Hacking Database is useful for coming up with search

l.c
parameters associated with sensitive information or
vulnerabilities.

ai
For a while, the GHDB was discontinued, however, it is now being

gm
maintained by the folks who run exploit-db.com
http://www.exploit-db.com/google-dorks/
1@
Provides examples of search terms that can be modified specific
to your client.
Sorted by categories including: Vulnerable Sites, Online Devices,
89

Log Detection, Directories, Username files, Files with Sensitive

y6

Information, and others.

br

137
Google Search Assistance Tools

om
Searching through all the GHDB can be tedious

l.c
Wikto can help automate Google searched
Wikto includes much more functionality that just search assistance,

ai
including mirroring, fingerprinting, vulnerability identification and

gm
more
Sitedigger is another tool strictly focused on Google scanning
1@
Goolag was another tool to automate GHDB searches, but
appears offline now
SearchDiggity another tool to automate GHDB and BHDB searches
89
y6
br

138
GHDB Search Example

om
l.c
ai
gm
1@
89
y6
br

139
SearchDiggity Screenshot

om
l.c
ai
gm
1@
89
y6
br

140
Some Other Search Engines

om
General Purpose

l.c
Bing, Yahoo, Ask

ai
Jobs

gm
Careerbuilder, Monster, Indeed, LinkedIn
Foreign Search Engines
1@
Baidu - China, Yandex - Russia, Guruji - India
People Searches
89
Pipl, 123People, Whitepages, Spokeo, Zoominfo
Real Estate
y6

Zillow, Trulia, Hotpads, Fixber

br

141
Information to Target
Data collection is key to this phase. Remember, the attacker will

om
leverage all information that can be found to penetration a network
environment.

l.c
Data points to look for:
Credentials Usernames or passwords may be stored in an

ai
accessible fashion.

gm
Email Addresses Will determine email address structure. Useful to
enumerate users as well as pull of a more successful social
engineering attempt.
1@
Files May contain sensitive data or metadata.
Geographic Information May help determine weak points in
89
security posture.
Financials Helps to determine spending ability, may yield insight
y6

into IT spending.
Users Social networking sites will often let an attacker enumerate a
br

user base without even being in the network. 142

Technologies Resumes will often bleed information about IT
technologies of an organization.
File Analysis

om
Files on customer websites sometimes have information that

l.c
can be used in further phases of the assessment.
Instructions for accessing systems

ai
Procedures, training, human resources information

gm
File metadata can often have interesting information, such as:


1@
Author and Modifier Usernames
File Paths
Software Versions
89
Printer Details
Email Addresses
y6

Comments
br

143
File Analysis

om
Any downloaded files should be analyzed for metadata

l.c
leakage
Two tools can make this process easy:

ai
FOCA - Reads file metadata for a wide range of formats

gm
Tool has much more functionality including conducting custom
searches, fingerprinting servers and more
1@
Can analyze files without needing to download them
Metagoofil - Another tool that extracts metadata from files on a
89
customer website
y6
br

144
Analyzing File Metadata with FOCA

om
l.c
ai
gm
1@ Right-click in box
to add a local file
89
y6
br

145
Analyzing File Metadata with FOCA

om
l.c
ai
gm
1@
Right-click in box
89
again to extract
metadata
y6
br

146
Example Intel Gathering Methodology

om
Search Engine Discovery

l.c
Attempt to find all customer websites
Attempt to find affiliated sites

ai
Use GHDB searches to attempt to find sensitive information and

gm
potential vulnerabilities

Company Websites
1@
Conduct a cursory review of all discovered websites for
information that can be used in later stages of the assessment
89
Mirror discovered (and interesting) customer websites
y6

Provides for offline analysis and less interaction with customer

network
br

Review HTML source code for comments

148
Example Intel Gathering Methodology

om
3rdParty websites

l.c
Search social media for information and usernames/email
addresses that could aid in a spear phishing campaign

ai
Search newsgroups, forums and email lists for information

gm
leakage and information that can be used in later stages of the
assessment
Files and file metadata 1@
Search files on customer websites for sensitive information
89
Analyze the metadata on all files identified for usernames, email
addresses, file paths, etc
y6
br

149
 om
l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
External Network Footprinting
89
Ninja-sec.com
y6
br
External Network Footprinting

om
Used to determine the extent of the customers Internet

l.c
reachable network presence through the use of online and
offline tools.

ai
Often also called Network Discovery.

gm
There are several methods to use to fully discover a
customers network presence.
1@
89
y6
br

151
Footprinting Methodology

om
Gather IP addresses of all publically identifiable client hosts

l.c
Using open source research.

ai
Tracerouting

gm
Used to gather information on networks and network paths
associated with customer hosts (ISPs, hosting providers, etc)

1@
Conduct lookups for registration (whois) records
Additional information can be located in registration records that
should be fed into further open source research.
89
y6
br

152
Footprinting Methodology

om
Conduct Border Gateway Protocol Autonomous System

l.c
Number (BGP ASN) record lookups.
Forward and reverse DNS lookups on all discovered domains

ai
and network ranges.

gm
Repeat steps until all associated hosts and network ranges
have been identified.
1@
Compile a list of all domain names, network ranges and ASNs
associated with the customer.
89

If attempting to be stealthy, conduct all the above activities

y6

using online tools only.

br

153
Gathering IP Addresses

om
One example using Centralops.net

l.c
ai
gm
1@
89
y6
br

154
Tracerouting

om
l.c
ai
gm
1@
89
y6
br

Firewalled ISP? 157

network
Registration Records

om
l.c
ai
gm
Associated
network range

1@
?
89

Organization
y6

name and
br

address
158
Registration Records

om
Information that can be further used for information gathering .

l.c
ai
Name,

gm
Email address and
Phone Number

1@
89
y6
br

159
Next Steps

om
Conduct reverse DNS lookups against all discovered network

l.c
ranges to identify additional hosts and domains associated
with customer.

ai
Conduct open source research against newly identified

gm
information.
Make sure to document all findings for later use.
1@
89
y6
br

168
 om
l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
DNS Enumeration
89
Ninja-Sec.com
y6
br
Domain Name Service (DNS)

om
Association of network human readable names to IP

l.c
addresses, or the reverse.
Hierarchal system of servers used to retrieve the IP address of

ai
any (correctly formatted) host name on the Internet.

gm
A number of security issues have been identified with its
implementation.
Uses UDP port 53.
1@
TCP port 53 is used for large transfers (greater than 512 bytes).
89

A fairly complex topic that can be somewhat difficult to

y6

understand.
This topic will focus on the areas that are important for
br

penetration testers 170

Important DNS Terms for Pen Testers

Name Server / Domain Host - Servers that run the DNS services for

om
an organization.
Provides answers to queries for hosts within the domain or zone.

l.c
Conducts queries on external name servers on behalf of hosts in the

ai
domain.
DNS Resolver - A client that initiates a lookup request to a DNS

gm
server (i.e. your host)
Authoritative Name Server - A DNS server that provides answers to
1@
name queries for hosts within its zone
Recursive Name Server - A DNS server that performs all queries
89
necessary on behalf of a DNS resolver
Caching Name Server - A resolving DNS server that caches all
y6

responses it has received to speed up subsequent lookups. Many

security problems have resulted.
br

Zone Transfer - Used to replicate records between DNS servers 171

within a zone. Can sometimes be abused by outside attackers to
acquire all the records for a zone.
 DNS Diagram

br
y6
89
1@
gm
ai
l.c
om
172
DNS Transaction

om
1. Source host requests IP address of

l.c
destination hostname from local
DNS server. (www.example.com)

ai
2. Local DNS server requests

gm
authoritative DNS server for
destination domain.
(example.com)
1@ 3. Local DNS server requests IP
address of destination host from
89
authoritative DNS server. (X.X.X.X)
4. Local DNS server returns IP
y6

address of destination host to

source host.
br

5. Source host connects to

173
destination host.
Important DNS Record TYPES for Pen Testers

om
DNS records match a host name to an IP address and also

l.c
often identify the function of the device. There are quite a few
record types, but a few should be readily identifiable by pen

ai
testers.

gm
A record - Also known as a host record. Links a host name to
an IP address
1@
AAAA record - Returns a IPv6 address
NS record - Authoritative name server for the zone.
CNAME record - Alias to another name. The DNS lookup will
89

try the new name.

y6

MX record - Mail server for the zone. Often multiple MX

records exist for a zone, with a weight given to identify
br

primary and secondary servers. Lower number = higher 174

priority.
Important DNS Record TYPES for Pen Testers

om
HINFO record - Optional information about the host.

l.c
SOA record - Provides information about the zone. Such as
primary name server, administrator email, etc

ai
PTR record - Links an IP address to a host name. Used in

gm
reverse DNS lookups.
TXT record - Used to provide optional information about the
1@
zone. Sometimes used to prevent email spam (although SPF
records should be used instead)
89
SRV record - Generalized record for services provided in the
zone. A host queries the zone for a specific service and is
y6

given a server address to connect to. Used by Active Directory

br

for example.
175
DNS Lookup Example

om
SPAM protection

l.c
ai
gm
Other netblocks

c
1@
89
y6

c
br

176
DNS Zone Transfers (AXFR)

om
Usually used for replicating records from one server in the

l.c
zone to another.
Can be abused by an outsider to gather network information.

ai
Zone transfers use TCP port 53.

gm
Often primary DNS servers will not allow zone transfers.
Backup DNS servers often are prone to misconfigurations.
1@
Make sure you check every DNS server in the network.
89
You should always remember to pipe the output of zone
transfers to a file.
y6

The output of a zone transfer can get very large.

br

177
DNS Tools (Queries, Zone Transfers, etc)

om
Compile a list of all reachable DNS servers for the network /

l.c
zone.
All servers listed in NS records.

ai
Port scan all network ranges for UDP and TCP port 53.

gm
*nix host command.
1@
With the -l option Can be used to quickly check servers listed in
NS records for zone transfers
Ex: host -l
89
y6
br

178
DNS tools (Queries, Zone Transfers, etc)

om
*nix dig command

l.c
Allows for a bit more granularity when querying DNS records than
the host command

ai
Example dig command:

gm
dig @ 67.192.47.244 <DNS zone> <type>
@<nameserver> specifies the name server to use.


1@
<DNS zone> specifies the zone to query against (i.e. google.com)
<type> specifies the type of record to query for
89
any returns administrative information about domain / zone
mx returns mail servers for the domain / zone
y6

axfr attempts a zone transfer for the zone specified

etc
br

179
Zone Transfer With Dig

om
l.c
ai
gm
1@
89
y6
br

180
DNS tools (Queries, Zone Transfers, etc)

om
nslookup command (Windows and *nix)

l.c
Command for conducting DNS queries, and zone transfers on
Windows (can be used on *nix, but there are better commands

ai
available)

gm
Can either be used all on the command line, or in interactive
mode
1@
Interactive mode will return more details
Example nslookup command:
89
nslookup type=any <DNS zone> <server>
y6
br

181
Forward and Reverse DNS Grinding

om
Forward DNS Grinding: Attempting to discover additional

l.c
hostnames within a domain / zone through the use of custom
wordlists to do lookups.

ai
Reverse DNS Grinding: Attempting to discover hostnames

gm
from a given set of IP network ranges through reverse DNS
lookups against every IP.
1@
Several tools exist to conduct DNS enumeration, forward and
reverse grinding, although probably the best known is Fierce.
89
For a number of other tools, look in the Backtrack tool suite
under DNS Analysis.
y6
br

183
Forward and Reverse DNS Grinding

om
Fierce Domain Scan

l.c
Provides a large number of customization and performance
options

ai
To conduct forward DNS grinding using a wordlist:

gm
fierce.pl dns <domain> -wordlist <wordlist file> -file <output file>
<domain> - the domain / zone you want to scan
1@
<wordlist> - the file to use for forward DNS grinding
To conduct reverse DNS grinding:
89
fierce.pl range <network range> -dnsserver <server>
<network range> - the IP range to scan. use in the form 172.16.0-255.0-
y6

255
br

184
DNS Man in the Middle Attacks

om
DNS MITM (Spoofing) Attack: Listening for DNS requests to

l.c
specific sites an supplying the attackers address before the
distant end can respond.

ai
A DNS resolver will record the first response received, allowing

gm
a local attacker to beat the distant end in the response.
Known as a race condition.
1@
Generally used in conjunction with ARP Poisoning (covered
later), removing even the need for race conditions.
89
y6
br

185
DNS Man in the Middle Attacks

om
General Methodology:

l.c
Spoof the distant end server (generally a web server)

ai
ARP Poison the target host
Perform DNS spoofing for the distant end server

gm
Perform nefarious action against target (generally credential
stealing)
1@
NOTE: While maybe useful in penetration testing depending on
the activity, not generally an activity that would be performed
89

when pen testing in a limited timeframe.

y6
br

186
DNS Cache Poisoning

om
Replacing the correct address of a external hosts name (either

l.c
the authoritative name server or a single host) with an
attackers address in the stored cache of a DNS caching server.

ai
This attack targets:

gm
Flaws inherent in the DNS protocol.
Implementations of many DNS servers.
1@
Can be extremely difficult for an end-user to detect they are
being attacked.
89

Note: Again, while a fairly dangerous attack, would be very

y6

difficult to replicate during a time limited penetration test.

br

187
DNSSEC

om
DNSEC (Secure DNS): Extensions to the DNS protocol that

l.c
provide for cryptographically signing DNS responses for origin
authentication.

ai
Designed to prevent DNS MITM attacks and cache poisoning

gm
attacks
Not currently widely deployed, so of fairly little significance to
penetration testers. 1@
89
y6
br

188
Domain Name Service- References

om
DNS Guides & Tutorials
Debian Guide: http://www.debianhelp.co.uk/dnsrecords.htm

l.c
Long Wikipedia Article:

ai
http://en.wikipedia.org/wiki/Domain_Name_System
Google Basic Guide to DNS:

gm
http://www.google.com/support/a/bin/answer.py?answer=48090#G
Zone Transfer Explanation:
1@
http://en.wikipedia.org/wiki/DNS_zone_transfer
SPF Explanation:
http://en.wikipedia.org/wiki/Sender_Policy_Framework
89
DNS Record Type:
y6

http://en.wikipedia.org/wiki/List_of_DNS_record_types
Using nslookup, dig and host:
br

http://docsrv.sco.com/NET_tcpip/dnsC.nslook.html
604
Using nslookup in Windows:
http://support.microsoft.com/kb/200525
Domain Name Service- References

om
DNS MITM Attacks:
Cain & Facebook example:

l.c
http://vishnuvalentino.com/computer/hacking-facebook-using-man-
in-the-middle-attack/

ai
Using Backtrack: http://dumb-answer.blogspot.com/2011/02/how-

gm
to-dns-spoofing-with-backtrack.html
DNS Cache Poisoning:
1@
http://en.wikipedia.org/wiki/DNS_cache_poisoning
DNSSEC Explanation:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Exte
89
nsions
Tools (online / offline)
y6

Central Ops: http://centralops.net/co/

br

Network Tools: http://network-tools.com/

DNSStuff (concise responses): http://www.dnsstuff.com/ 605
Fierce: http://ha.ckers.org/fierce/
 om
l.c
CODENAME: Samurai Skills

ai
Course

gm
1@
Mail Server Enumeration
89
Ninja-sec.com
y6
br
Interacting With Mail Servers During a Penetration Test

om
Generally a penetration tester may interact with a customers mail
servers in three different ways:

l.c
Attempting to identify valid user names and email addresses through
brute force enumeration (i.e. wordlists, etc)

ai
Sending spear-phishing emails into the customer organization through

gm
the mail servers
Less often, Interacting with client facing aspects of the server (OWA,
1@
POP3, IMAP, etc) through either direct login after harvesting
credentials, or possibly attempting to brute force passwords
Like many aspects conducting time limited pen tests, while there are
89
potentially many activities that could be used to assess a customers
mail services, the tester will need to pair down activities to what is
y6

manageable.
One effective technique may be to discover email addresses through
br

open source research, then verify them against the mail server and 190
enumerate further users
Enumerating Email Addresses through the Mail Server

om
Three primary SMTP methods are used to enumerate users on

l.c
a server:
EXPN Command: Used to expand information for a given email

ai
address. Often used to expand a mailing list. Probably the least

gm
reliable method as it is not supported in Microsoft Exchange
VRFY Command: Used to verify that a mailbox is available for
1@
delivery. As the potential for abuse is obvious, this command is
often turned off by default.
RCPT TO: Command: Identifies a message recipient. A much more
89
reliable method to use to enumerate users as it is difficult to
disable this functionality (it is the basis for identifying the
y6

recipient of a message).
br

Online, manual and automated tools can all be used to 191

enumerate users
Command Line Enumeration of Users

om
Mail servers may be enumerated on the command line using

l.c
Telnet or NetCat. For large scale enumeration, this would not
be very effective.

ai
gm
1@
89
y6
br

192
Online Enumeration of Users
Individual email accounts can be enumerated online, providing
a measure of stealth. However, this would again not be very
effective on a large scale

om
l.c
ai
gm
1@
89
y6
br

Successful validation 193

Enumeration of Users Using Automated Tools

om
smtp-user-enum.pl Perl script included in the backtrack suite

l.c
ai
gm
1@
89
y6
br

195
 Enumeration of Users Using Automated Tools

om
Nmap NSE script smtp-enum-users.nse

l.c
Usage nmap --script smtp-enum-users.nse <script-args> <host>
Uses the userdb from Nmap, so custom dictionaries would need

ai
to be added to the default users file (no way to specify a specific

gm
file)
Users file is located in {Nmap directory}/nselib/data/usernames.lst
1@
Use --script-args smtp-enum-users.domain=<example.com> to
append domain names to email addresses (if not defined in the
89
wordlist)
Full example command:
y6

nmap --script smtp-enum-users.nse --script-args smtp-enum- users.domain=vglab.com

br

<IP Address>
196
Using Nmap SMTP User Enumeration Script

om
l.c
ai
gm
1@
89
y6
br

197
Dealing with Email Filtration Systems

om
When sending spear-phishing emails, either as the initial stage a

l.c
penetration or just to collect statistics, there are a number of email
filtration systems that could block your attempts, including:

ai
Sender Policy Framework (SPF) policies

gm
Domain Keys
Spamtraps


Rate limiting
Many, many others
1@
89
In general, a penetration test conducted in a limited timeframe does
not have the ability to attempt to evade Spam filtering mechanisms.
y6

Better to document the protections and work with the customer to

work around them (possibly send emails from internal systems,
br

etc) for the test 198

Brute Forcing Client Mail Services

om
Client mail services allow a local mail client to access a users

l.c
mailbox. Three primary types of client mail services include:
Post Office Protocol (POP) 3

ai
While not related to bruteforcing, it should be noted the POP3

gm
communicates in cleartext
Internet Message Access Protocol (IMAP)
1@
Proprietary protocols - Such as Microsoft Outlook and IBM Notes
Both POP3 and IMAP can be vulnerable to network password
89
cracking (covered later)
y6

However, this is a (relatively) slow operation and not something

likely to be performed in a resource limited penetration test
br

200