DELIVERY FAILURE Getting internal mail server ip without getting in the box

[demonize]

DELIVERY FAILURE Getting internal mail server ip without getting in the box.

Hxxp.milw0rm.com/papers/172
Title:
Tactical Exploitation

OR

”The Other Way to Pen-Test”

Bounce Messages

One of the best techniques available for internal network discovery is the e-mail
”bounce” feature of many mail servers. The attack works by sending an email
destined to a non-existent user at the target organization. The email server will
send a bounce message back indicating that the user does not exist. This bounce
message often contains the internal IP address and host name of the mail server
itself. This technique is particularly e?ective against Exchange servers that are
placed behind a mail relay of some sort. For example, the following headers
expose the internal host name and IP address of RSA.com’s mail server:

Code:

 Bounce  Messages 

One of the best techniques available for internal network discovery is the e-mail 
”bounce” feature of many mail servers.     The attack works by sending an email 
destined to a non-existent user at the target organization.  The email server will 
send a bounce message back indicating that the user does not exist.  This bounce 
message often contains the internal IP address and host name of the mail server 
itself.  This technique is particularly e?ective against Exchange servers that are 
placed  behind  a  mail  relay  of  some  sort. For  example,  the  following  headers 
expose the internal host name and IP address of RSA.com’s mail server: 

Received:    (qmail   10315  invoked   from   network);   28  Jun  2007  15:11:29    -0500 
Received:    from  unknown   (HELO   gateway1.rsasecurity.com)        (216.162.240.250) 
   by [censored]    with   SMTP;  28  Jun  2007  15:11:29    -0500 
Received:    from  hyperion.rsasecurity.com        by gateway1.rsasecurity.com 
             via  smtpd  (for   [censored].    [xxx.xxx.xxx.xxx])      with  SMTP 
Received:    from  localhost    (localhost) 
by  hyperion.na.rsa.net      (MOS  3.8.3-GA) 
with  internal    id DEP35818; 
Thu,  28  Jun  2007   16:18:14   +0500  (GMT-5) 
Date:   Thu,  28  Jun  2007  16:18:14   +0500   (GMT-5) 
From:   Mail  Delivery   Subsystem    <MAILER-DAEMON@hyperion.na.rsa.net> 
Message-Id:    <200706281118.DEP35818@hyperion.na.rsa.net> 
To:  user@[censored] 
MIME-Version:     1.0 
Content-Type:     multipart/report; 
   report-type=delivery-status; 
   boundary="DEP35818.1183029494/hyperion.na.rsa.net" 
Subject:   Returned    mail:  User   unknown   (from  [10.100.8.152])

Some of the bounce email might not give you the internal ip of their mail box but will give you the ones of you google,yahoo,msn etc.......

So what can be the "The Other Way to Pen-Test" if anyone knows can he add it to this post.

[Barry]

You want to delete the other thread you started with the same title?

[streaker69]

It has also become fairly common practice for Mail admins to configure their mail servers to not generate bounce messages with the advent of back-scatter SPAM.

I have my system set to do so, and I've seen many others doing it as well.

[thorin]

So what can be the "The Other Way to Pen-Test" if anyone knows can he add it to this post.

It depends what you're actually trying to test/prove.

[demonize]

I'm trying both test/prove so can i can learn about it and protect our systems.

[thorin]

You misunderstood me. Are you simply trying to test or prove whether or not you can get the internal IP of the server? Or something more/different?

[demonize]

Sorry,
I am trying to test