SMTP Headers
Where an SMTP mail server is present, internal topology may bediscovered by passing an e-mail though the system and examining the
resulting headers. For example, if a mail is sent to
in.valid.user@example.com on our example network, we should
(eventually) receive a bounced e-mail back from mail whose headers
would revel each stage of the mail’s path through the organization - in
this example potentially giving us IP’s and machine names for the
Firewall (both DMZ IP’s and the internal address), the external mail
server (smtp), the content scanner (scan) and the internal mail server
(mail).
Although this hasn’t involved accessing any systems illegitimately, the
internal addressing and naming discovered could prove useful later in
the attack.
Example
Retrieving a set of SMTP headers from a target is a relatively straight
forward task. An online mail account (e.g. mail.yahoo.com) can be used
to send a message to a non-existent user at the target, or an SMTP mail
can be constructed as below.
First we establish the mail servers for the company, using a tool such as
dig.
No comments:
Post a Comment