The Ethical Hacker Network - Cracking Passwords...Do You Go To This Extent?

Latest Additions

Who's Online

xXxKrisxXx

Hero Member

Offline

Posts: 512

Cracking Passwords...Do You Go To This Extent?

« on: February 27, 2009, 04:27:08 PM »

What's Up Ethicalhacker.net,

I was wondering & since I don't see it listed in security courses, when you are involved in a penetration test, you may often crack an ssh or ftp password, windows account passwords with Ophcrack (like how Apollo did in Part 2 of His 15 Minute Pentest), but I was wondering, do you guys actually go to the extent of accessing the users mail account? I'm sure some of you could use tools such as wifizoo, etc to perform session hijacking but do you guys actually go to the extent to say, "Here's an employees (possibly the IT Admin) e-mail address, I'm going to run a brute force utility against it, obtain the password (if I can) and not change it but go through his mail to obtain more information". Is this even an option for you guys or do you consider cracking the users e-mail address passwords unethical?


	Logged

eCPPT, GCIH, OSCP, OSWP

timmedin

Sr. Member

Offline

Posts: 469

Re: Cracking Passwords...Do You Go To This Extent?

« Reply #1 on: February 27, 2009, 07:14:21 PM »

Short Answer: It all depends on the [written] rules of engagement and scope.

Usually the email password is the same as his other credentials so email isn't as juicy as access to a server, firewall, or whatever. Email can be useful for getting information and for social engineering attacks, but it totally depends on the rules of engagement. The cracking of the email passwords in itself wouldn't determine the ethical line (assuming you have the ok), the agreement you have with the client is the gold standard - cross that line and you can even go to jail.


« Last Edit: February 27, 2009, 07:22:36 PM by timmedin »	Logged

twitter.com/timmedin | http://blog.securitywhole.com

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Cracking Passwords...Do You Go To This Extent?

« Reply #2 on: February 27, 2009, 11:37:45 PM »

We don't go for the email password, but we do shoot for any account on the system when we do a test event. Often our client wants to know about any passwords that are not up to snuff with the requirements. And we regularly break the weak passwords. We are looking at ginning up some rainbow tables to help with the harder stuff. Should be fun.


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

timmedin

Sr. Member

Offline

Posts: 469

Re: Cracking Passwords...Do You Go To This Extent?

« Reply #3 on: February 28, 2009, 10:43:28 AM »

Sometimes they have webmail exposed to the internet and it can be prime for password guessing attacks, but again, it depends on the rules of engagement.