billyblaxsta Posted August 4, 2011 Share Posted August 4, 2011 This is something I have been confused about for some time. Take a major company. It's employees have john_smith@company.com (for example). But what I don't really understand is where the employees login to access their e-mails. How would a person who doesn't work for the company find out? I know you can try exchange, mail, webmail (etc) .company.com but if they do not work then what? Of course, the company may use a third party service. I am just wondering how you would find out where people login to for example the BBC, or NBC, or CNN, or any major company? Quote Link to comment Share on other sites More sharing options...
Sparda Posted August 4, 2011 Share Posted August 4, 2011 Get a temp job there. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 4, 2011 Share Posted August 4, 2011 Typically there is a mail server (Exchange). You can try social engineering techniques to find out information. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted August 4, 2011 Share Posted August 4, 2011 If you know people or colleges who works for the company, you could ask them for such information. Quote Link to comment Share on other sites More sharing options...
digip Posted August 4, 2011 Share Posted August 4, 2011 (edited) Starts with DNS, since everything that is mapped somewhere, uses DNS. Use nslookup to check, but not all servers will return anonymous queries from the internet. For example, in windows, open a command prompt. Type nslookup. Once you do this, you will be in the nslookup shell. type: set type=mx Then type the domain you want to query and hit enter. cnn.com for example : c:\nslookup Default Server: resolver2.opendns.com Address: 208.67.220.220 > set type=mx > cnn.com Server: resolver2.opendns.com Address: 208.67.220.220 Non-authoritative answer: cnn.com MX preference = 10, mail exchanger = atlmail5.turner.com cnn.com MX preference = 10, mail exchanger = hkgmail1.turner.com cnn.com MX preference = 10, mail exchanger = lonmail1.turner.com cnn.com MX preference = 10, mail exchanger = nycmail1.turner.com cnn.com MX preference = 10, mail exchanger = nycmail2.turner.com cnn.com MX preference = 10, mail exchanger = atlmail3.turner.com > As far as login screen, most employees would probably access it via some portal on the intranet at work that points to the proper mailserver, or already have email clients setup for them on the machines by the IT departments. Edited August 5, 2011 by digip Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted August 5, 2011 Share Posted August 5, 2011 As per digip: Try using http://www.serversniff.net/index.php, to investigate what DNS records they have. You may find with large organisations like the BBC etc that they don’t use Webmail and remote access to email is either provided by a mobile device e.g. BlackBerry or they are required to run Outlook via a terminal session / Citrix. I guess it’s viewed as convenience versus security. Quote Link to comment Share on other sites More sharing options...
wezyap Posted August 5, 2011 Share Posted August 5, 2011 The normal, non S.E, route I would have taken in this scenario is first do a dns bruteforce to try to find what servers the company has, and if any of them is named mail.companyname.com or similar, then I would have done a daemon fingerprint on the most promising servers with tools like nmap. I would also try to send a mail to they'r support or customer relations department asking a easy and simple question, and examined the mail header of the replay for any clues. If the company has any offices i driving distance from my location, I would also pack my war driving kit, take a field trip, try to access the network, and ARP poision it, and capture the packets, to see which sites and which protocols the staff uses. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.