.

Cracking Passwords...Do You Go To This Extent?

<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Fri Feb 27, 2009 5:27 pm

Cracking Passwords...Do You Go To This Extent?

What's Up Ethicalhacker.net,

I was wondering & since I don't see it listed in security courses, when you are involved in a penetration test, you may often crack an ssh or ftp password, windows account passwords with Ophcrack (like how Apollo did in Part 2 of His 15 Minute Pentest), but I was wondering, do you guys actually go to the extent of accessing the users mail account? I'm sure some of you could use tools such as wifizoo, etc to perform session hijacking but do you guys actually go to the extent to say, "Here's an employees (possibly the IT Admin) e-mail address, I'm going to run a brute force utility against it, obtain the password (if I can) and not change it but go through his mail to obtain more information". Is this even an option for you guys or do you consider cracking the users e-mail address passwords unethical?
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri Feb 27, 2009 8:14 pm

Re: Cracking Passwords...Do You Go To This Extent?

Short Answer: It all depends on the [written] rules of engagement and scope.

Usually the email password is the same as his other credentials so email isn't as juicy as access to a server, firewall, or whatever. Email can be useful for getting information and for social engineering attacks, but it totally depends on the rules of engagement. The cracking of the email passwords in itself wouldn't determine the ethical line (assuming you have the ok), the agreement you have with the client is the gold standard - cross that line and you can even go to jail.
Last edited by timmedin on Fri Feb 27, 2009 8:22 pm, edited 1 time in total.
twitter.com/timmedin | http://blog.securitywhole.com
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Sat Feb 28, 2009 12:37 am

Re: Cracking Passwords...Do You Go To This Extent?

We don't go for the email password, but we do shoot for any account on the system when we do a test event. Often our client wants to know about any passwords that are not up to snuff with the requirements. And we regularly break the weak passwords. We are looking at ginning up some rainbow tables to help with the harder stuff. Should be fun.
Mike Conway
CISSP
CompTia Security +
C|EH
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sat Feb 28, 2009 11:43 am

Re: Cracking Passwords...Do You Go To This Extent?

Sometimes they have webmail exposed to the internet and it can be prime for password guessing attacks, but again, it depends on the rules of engagement.
twitter.com/timmedin | http://blog.securitywhole.com

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software