Results 1 to 7 of 7

Thread: DELIVERY FAILURE Getting internal mail server ip without getting in the box

  1. #1
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default DELIVERY FAILURE Getting internal mail server ip without getting in the box

    DELIVERY FAILURE Getting internal mail server ip without getting in the box.

    Hxxp.milw0rm.com/papers/172
    Title:
    Tactical Exploitation

    OR

    ”The Other Way to Pen-Test”

    Bounce Messages

    One of the best techniques available for internal network discovery is the e-mail
    ”bounce” feature of many mail servers. The attack works by sending an email
    destined to a non-existent user at the target organization. The email server will
    send a bounce message back indicating that the user does not exist. This bounce
    message often contains the internal IP address and host name of the mail server
    itself. This technique is particularly e?ective against Exchange servers that are
    placed behind a mail relay of some sort. For example, the following headers
    expose the internal host name and IP address of RSA.com’s mail server:

    Code:
     Bounce  Messages 
    
    One of the best techniques available for internal network discovery is the e-mail 
    ”bounce” feature of many mail servers.     The attack works by sending an email 
    destined to a non-existent user at the target organization.  The email server will 
    send a bounce message back indicating that the user does not exist.  This bounce 
    message often contains the internal IP address and host name of the mail server 
    itself.  This technique is particularly e?ective against Exchange servers that are 
    placed  behind  a  mail  relay  of  some  sort. For  example,  the  following  headers 
    expose the internal host name and IP address of RSA.com’s mail server: 
    
    Received:    (qmail   10315  invoked   from   network);   28  Jun  2007  15:11:29    -0500 
    Received:    from  unknown   (HELO   gateway1.rsasecurity.com)        (216.162.240.250) 
       by [censored]    with   SMTP;  28  Jun  2007  15:11:29    -0500 
    Received:    from  hyperion.rsasecurity.com        by gateway1.rsasecurity.com 
                 via  smtpd  (for   [censored].    [xxx.xxx.xxx.xxx])      with  SMTP 
    Received:    from  localhost    (localhost) 
    by  hyperion.na.rsa.net      (MOS  3.8.3-GA) 
    with  internal    id DEP35818; 
    Thu,  28  Jun  2007   16:18:14   +0500  (GMT-5) 
    Date:   Thu,  28  Jun  2007  16:18:14   +0500   (GMT-5) 
    From:   Mail  Delivery   Subsystem    <MAILER-DAEMON@hyperion.na.rsa.net> 
    Message-Id:    <200706281118.DEP35818@hyperion.na.rsa.net> 
    To:  user@[censored] 
    MIME-Version:     1.0 
    Content-Type:     multipart/report; 
       report-type=delivery-status; 
       boundary="DEP35818.1183029494/hyperion.na.rsa.net" 
    Subject:   Returned    mail:  User   unknown   (from  [10.100.8.152])
    Some of the bounce email might not give you the internal ip of their mail box but will give you the ones of you google,yahoo,msn etc.......

    So what can be the "The Other Way to Pen-Test" if anyone knows can he add it to this post.

  2. #2
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    You want to delete the other thread you started with the same title?
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    It has also become fairly common practice for Mail admins to configure their mail servers to not generate bounce messages with the advent of back-scatter SPAM.

    I have my system set to do so, and I've seen many others doing it as well.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by demonize View Post
    So what can be the "The Other Way to Pen-Test" if anyone knows can he add it to this post.
    It depends what you're actually trying to test/prove.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default

    I'm trying both test/prove so can i can learn about it and protect our systems.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    You misunderstood me. Are you simply trying to test or prove whether or not you can get the internal IP of the server? Or something more/different?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default

    Sorry,
    I am trying to test

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •