Thursday, November 13, 2014

Hacking the Human Firewall -- Part 2

One of the most useful things you can do which is particularly useful is using read receipts to map a network and target out.

Most people acknowledge read receipts (knowingly or unknowingly) and they also leave their email application opening webpages externally.

Read receipts are interesting because inside of the email headers you get a clear view of a lot of information. Ingress/Egress IPs, anti-virus and spam services, AD information (yes, Active Directory information) and a few other interesting bits.

Along with that, if you're lucky enough to have someone using IMAP/SMTP or POP3/SMTP, you'll get a fair amount of information about their machine.

Take this read receipt/email heard for example. Thing to remember: No one needed to reply to this! They opened the email and allowed the read receipt to be sent. Many times, even if they have it shut off, you can get something from another part of the system (We'll cover that in another post.)

1. Egress IP of the mail server.
2. IP of the mailhandler IP on your end
3. Declared Mail Connector Name
4. FQDN (external) of the server sending it.
5. INTERNAL AD NAME of the originating server AND the next server to handle it.
6. Identifying information about the mail servers internally
7. Declared Connector name and IPv6 information

Let's discuss:

1. Egress IP - Many organizations, particularly smaller ones, will have it "all on one box" or separate the roles out so that the SMTP handler is also a client access server. You now have confirmed operational receipt of the mail server, that the address works. You have also confirmed that you have an SMTP connector to run AUTH attempts against.

2. You have confirmed they are able to query DNS and find your name. Useful for other purposes later

3. This is the "banner name" of the mail server. Many admins never change this, much less know that it exists. These folks "did it right" but many do not. This is typically left as the default which gives you a good amount of information on the organization as you will see below.

4. FQDN, also a useful piece of data.

5. INTERNAL DNS NAME OF THE ORIGINATING SERVER. As these folks left it default, I now have the server NAME of the email server and ITS INTERNAL IP ADDRESS.

6. I can use this to figure out what version of exchange this is. Google will tell you it's Exchange 2010 SP3.

7. Again, I have ANOTHER email (and internal) server name, AD information and that they have IPv6 going.

From one read receipt, I know quite a bit.

If they're using domain\credential for authentication, I now have that.
If I can breach the perimeter in some manner, the internal IP becomes extremely useful.
I know the admins aren't security conscious and don't change defaults (connector names and DNS), I have a good idea that stuff may remain default/un-hardened/unpatched. Admin/admin anyone?
I know the version of exchange and if it's vulnerable I can run attacks against it.
IPv6 may be in use, which opens up a new world of exploration for me.

All that, from a read receipt. Pairing that with the fact that most Exchange Orgs use the email address/login name matching scheme. I have a point of entry and places to use it. be continued....

No comments:

Post a Comment