I
have setup a rogue email account on a web server that i own a lease to.
What we are going to do is find the IP address to the server that sends
the mail, scan for open ports to mail services (Pop3 & SMTP) input
the data into Hydra and in return bruteforce for the password.
I
have done this on many occasions as a security tester and what i have
found is that MOST people use the same password for everything. That's
why it's important to keep your email password exclusive. What i have
found in 90% of the time is that people have everything linked to their
main email address. Online banking, website registration and Facebook to
name a few. All you have to do after gaining access to an important
email account is a little detective work along with some "forgot
password" forms and then you pretty must own the E-Identity. I'm going
to show you how to prevent this from happening to yourself and your
clients.
Please
note these are real hacking methods that are going to be tested on real
servers. One of the IP's i'm going to release correlates to a godaddy
hosted server, and even though anyone can find this i want to say i do
not condone black hat hacking, nor do i advise anyone to use these
methods for malicious use. Lets Get Started
www.brotherspropertymanagement.com will be our target for example.
In backtrack 5, Fire up a Terminal, Zenmap and Hydra-GTK.
ping the desired web server:
we see a secureserver hostname along with the IP. Typically in this instance i would run a zenmap scan on it.
However no
mail server is returned. This is a practical example of where we can be
de-railed because the mail server is different from the one we scanned.
but with a little research we can easily find the mail server AND
SETTINGS on google using the hostname.
We have found
the link for email setup. You will only need to do this if the web
server is hosted by a product like godaddy. In some situations the web
server will include all services to run the website and some back end
things like FTP,HTTP,POP,SMTP & MYSQL.
click the link
Those are the
settings. Now we see we have 2 options. pop.secureserver.net and
smtpout.secureserver.net. Please keep this in mind, These 2 servers HOST
ALL MAIL on godaddy websites. This is dangerous because if you really
wanted to you could scan a range of godaddy ip's, visit the websites,
copy the email addresses, make a list to bruteforce. This is why i
strongly advise a secure password.
Lets choose SMTP. It's not encrypted, doesn't kick us off after a few attempts of password breaking AND ITS FAST, SUPER FAST.
ping smtpout.secureserver.net a few times and you will see the ip is
different. it really doesn't matter so open Xhydra and configure like
this:
single target: smtpout.secureserver.net (this is the mail server)
port: 25 (this is default unencrypted SMTP port)
protocol: smtp (simple mail transfer protocol)
as always check off show attempts.
on the passwords tab for username you always want the full user with the @domain.com in the end our user is
rogueaccount@brotherspropertymanagement.com
select your password list. refer to my Last Post on how to find a wordlist in backtrack.
Or Click Here for Wordlist
Goto the start tab and click start.
Then we have success. I will be remove the rogue account so you little bastards don't try any funny business.
RECAP:
1. Find Target
2. Find SMTP Mail Server
3. Input data to Hydra
4. Crack Away
RECAP:
1. Find Target
2. Find SMTP Mail Server
3. Input data to Hydra
4. Crack Away
0 comments:
Post a Comment