EXTRACTING INFORMATION FROM E-MAIL SERVERS

E-Mail Servers: E-mail servers can provide a wealth of information for hackers and penetration testers. In many ways, e-mail is like revolving door to your target’s organization.

Assuming your target is hosting their own e-mail server, this is often a great place to attack. It is important to remember.

“You can’t block what you must let in.”

In other words, for e-mail to function properly, external traffic must pass through your border devices like routers and firewalls, to an internal machine, typically somewhere inside your protected networks.

As a result of this, we can often gather significant pieces of information by interacting directly with the e-mail sever.

One of the first thing to do when attempting to recon an e-mail server is to send an e-mail to the organization with an empty .bat file or a nonmalicious .exe file like calc.exe.

In this case, the goal is to send a message to the target e-mail server inside the organization in the hope of having the e-mail server inspect, and then reject the message.

Once the rejected message is returned back to us, we can attempt to extract information about the target e-mail server.

In many cases, the body of the message will include a precanned write-up explaining that the server does not accept e-mails with potentially dangerous extensions.

This message often indicates the specific vendor and version of antivirus that was used to scan the e-mail. As an attacker, this is a great piece of information to have.

Having return message from a target e-mail server also allows us to inspect the header of the e-mail.

Inspecting the internet headers will often allow us to extract some basic information about the e-mail server, Including IP addresses and the specific software versions or brand of e-mail server running.

Knowing the IP address and software version scan is incredibly useful when we move into the exploitation phase (step 3).