Jump to content

Where Would The Login Screen Be?


Recommended Posts

This is something I have been confused about for some time.

Take a major company. It's employees have john_smith@company.com (for example).

But what I don't really understand is where the employees login to access their e-mails. How would a person who doesn't work for the company find out?

I know you can try exchange, mail, webmail (etc) .company.com but if they do not work then what? Of course, the company may use a third party service.

I am just wondering how you would find out where people login to for example the BBC, or NBC, or CNN, or any major company?

Link to comment
Share on other sites

If you know people or colleges who works for the company, you could ask them for such information.

Link to comment
Share on other sites

Starts with DNS, since everything that is mapped somewhere, uses DNS. Use nslookup to check, but not all servers will return anonymous queries from the internet.

For example, in windows, open a command prompt. Type nslookup. Once you do this, you will be in the nslookup shell.


set type=mx

Then type the domain you want to query and hit enter.

cnn.com for example :

Default Server:  resolver2.opendns.com
> set type=mx
> cnn.com
Server:  resolver2.opendns.com

Non-authoritative answer:
cnn.com MX preference = 10, mail exchanger = atlmail5.turner.com
cnn.com MX preference = 10, mail exchanger = hkgmail1.turner.com
cnn.com MX preference = 10, mail exchanger = lonmail1.turner.com
cnn.com MX preference = 10, mail exchanger = nycmail1.turner.com
cnn.com MX preference = 10, mail exchanger = nycmail2.turner.com
cnn.com MX preference = 10, mail exchanger = atlmail3.turner.com

As far as login screen, most employees would probably access it via some portal on the intranet at work that points to the proper mailserver, or already have email clients setup for them on the machines by the IT departments.

Edited by digip
Link to comment
Share on other sites

As per digip:

Try using http://www.serversniff.net/index.php, to investigate what DNS records they have. You may find with large organisations like the BBC etc that they don’t use Webmail and remote access to email is either provided by a mobile device e.g. BlackBerry or they are required to run Outlook via a terminal session / Citrix.

I guess it’s viewed as convenience versus security.

Link to comment
Share on other sites

The normal, non S.E, route I would have taken in this scenario is first do a dns bruteforce to try to find what servers the company has, and if any of them is named mail.companyname.com or similar, then I would have done a daemon fingerprint on the most promising servers with tools like nmap.

I would also try to send a mail to they'r support or customer relations department asking a easy and simple question, and examined the mail header of the replay for any clues.

If the company has any offices i driving distance from my location, I would also pack my war driving kit, take a field trip, try to access the network, and ARP poision it, and capture the packets, to see which sites and which protocols the staff uses.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...