An Nslookup can reveal a MX server. The attacker can connect to the SMTP port and issue commands (in accordance with that protocol), can breach the security of the firm / user if a vulnerability can be exploited. The attacker can use this to send email that will appear to be from the address of the target user. The attacker can even send a mail asking users to change passwords on behalf of the system administrator.
This is useful when the email address is the only information available at hand.
An attacker might use this to track the user to their e-mail server. An added benefit is that he will be able to see what SMTP software the mail server is running (many times with version information as well). Information about the mail server can help if the attacker knows a vulnerability that can be exploited in order to gain more access to other resources or to cause damage to the system.
Readers who are interested in reading a real scenario may refer to the 'Bunratty Attack' by Vince Gallo. It shows how he created covert channels using valid mapi email. A copy of the presentation is available at http://chi-publishing.com/isb/backissues/ISB 2001/ISB0605/ISB0605VG.pdf
It demonstrates how one can use a valid application (in this case mapi email) to covertly communicate with and even remotely control a system on an otherwise protected network. All traffic appears to be valid email.
The other tool that can analyze email headers is eMailTrackerPro
0 comments:
Post a Comment