Where Would The Login Screen Be?

[billyblaxsta]

This is something I have been confused about for some time.

Take a major company. It's employees have john_smith@company.com (for example).

But what I don't really understand is where the employees login to access their e-mails. How would a person who doesn't work for the company find out?

I know you can try exchange, mail, webmail (etc) .company.com but if they do not work then what? Of course, the company may use a third party service.

I am just wondering how you would find out where people login to for example the BBC, or NBC, or CNN, or any major company?

[Sparda]

Get a temp job there.

[Mr-Protocol]

Typically there is a mail server (Exchange).

You can try social engineering techniques to find out information.

[Infiltrator]

If you know people or colleges who works for the company, you could ask them for such information.

[digip]

Starts with DNS, since everything that is mapped somewhere, uses DNS. Use nslookup to check, but not all servers will return anonymous queries from the internet.

For example, in windows, open a command prompt. Type nslookup. Once you do this, you will be in the nslookup shell.

type:

set type=mx

Then type the domain you want to query and hit enter.

cnn.com for example :

c:\nslookup
Default Server:  resolver2.opendns.com
Address:  208.67.220.220
> set type=mx
> cnn.com
Server:  resolver2.opendns.com
Address:  208.67.220.220

Non-authoritative answer:
cnn.com MX preference = 10, mail exchanger = atlmail5.turner.com
cnn.com MX preference = 10, mail exchanger = hkgmail1.turner.com
cnn.com MX preference = 10, mail exchanger = lonmail1.turner.com
cnn.com MX preference = 10, mail exchanger = nycmail1.turner.com
cnn.com MX preference = 10, mail exchanger = nycmail2.turner.com
cnn.com MX preference = 10, mail exchanger = atlmail3.turner.com
>

As far as login screen, most employees would probably access it via some portal on the intranet at work that points to the proper mailserver, or already have email clients setup for them on the machines by the IT departments.

Edited August 5, 2011 by digip

[MRGRIM]

As per digip:

Try using http://www.serversniff.net/index.php, to investigate what DNS records they have. You may find with large organisations like the BBC etc that they don’t use Webmail and remote access to email is either provided by a mobile device e.g. BlackBerry or they are required to run Outlook via a terminal session / Citrix.

I guess it’s viewed as convenience versus security.

[wezyap]

The normal, non S.E, route I would have taken in this scenario is first do a dns bruteforce to try to find what servers the company has, and if any of them is named mail.companyname.com or similar, then I would have done a daemon fingerprint on the most promising servers with tools like nmap.

I would also try to send a mail to they'r support or customer relations department asking a easy and simple question, and examined the mail header of the replay for any clues.

If the company has any offices i driving distance from my location, I would also pack my war driving kit, take a field trip, try to access the network, and ARP poision it, and capture the packets, to see which sites and which protocols the staff uses.