Professional Documents
Culture Documents
l.c
CODENAME: Samurai Skills
ai
Course
gm
1@
Module 2: Real World Information Intelligence
89
Techniques
y6
Ninja-Sec.com
br
Conducting Open Source Intelligence Gathering
om
Goal: Become familiar with your customer through their
l.c
online presence to aid in later phases of the penetration test.
Target discovery
ai
Possible additional attack vectors
gm
System enumeration and vulnerability discovery (without ever
having to touch the customer network)
1@
Small snippets of data throughout the internet can be
combined to reveal useful information
89
113
Conducting Open Source Intelligence Gathering
om
For Red Team assessments, this process could last weeks or
l.c
months.
When conducting assessments in a limited timeframe, you
ai
dont have that luxury. You need to focus on:
gm
A limited set of tools that can provide digestible information
quickly.
1@
A limited set of analysis techniques that have the potential to
provide high quality information.
89
Note: In many cases these activities wont even be conducted
y6
114
Conducting Intelligence Gathering
om
Sources for analysis can include:
l.c
Search Engines
ai
Company Websites
Archive.org
gm
Public Corporate Information (if applicable)
Newsgroups/Listservs
Job Listings 1@
Technical Support Forums
Financial and Business Articles
89
Blogs
y6
Social Media
br
115
Conducting Intelligence Gathering
om
The objectives of the assessment should drive the scope of
l.c
these activities.
What you are looking for:
ai
gm
Subordinate, senior and lateral organizations
The extent of the public online presence
Physical locations of customer facilities
Corporate Gatherings 1@
Significant Company Dates
89
Organizational Information
y6
Org Charts
Positional Hierarchy and Descriptions
br
116
Company Websites
om
Company websites will usually reveal the mission, current
l.c
news, and points of contact surrounding the company.
Make sure to look at sites other than the main site
ai
Just looking at company websites can often tell you a lot about
gm
backend infrastructures, etc
Useful for determining partners or potential trust
relationships. 1@
Epsilon Breach
89
May be less secure
y6
br
117
Company Websites
om
Useful for generating a dictionary-based password wordlist for
l.c
your favorite password cracker.
May be crucial to determine engagement activities.
ai
Social Engineering
gm
Web Assessment
1@
Locally mirroring the customer website can make analysis
faster and easier.
Added benefit of interacting with customer network less
89
frequently.
y6
br
118
Locally Copying Company Websites
om
Locally copying company websites can
l.c
be easily accomplished with several
tools, including wget and HTTrack
ai
HTTrack is a super simple tool that is
gm
probably the most comprehensive
1@
89
y6
br
119
Newsgroups and Listservs
om
Newsgroups and listservs are usually communities that gather
l.c
online for a specific purpose.
Composed of people from all walks of life, including many
ai
organizations.
gm
A quick search does not take very long and can provide a
goldmine of information, such as:
1@
Questions about IT environments
Security issues and concerns
89
Inside points of contact
y6
Employee morale
Previous employment/experience
br
120
Email ListServs
om
A collection of members that contribute to discussion on
l.c
security topics via email threads.
Usually revolves around security research or issues that may
ai
not be well documented online.
gm
Example listservs are:
1@
Pauldotcom Mailing List
Bugtraq
NoVAHackers
89
SANS Advisory Board
y6
Infragard
Seclists has many more
br
121
Online Job Listings
om
Job Description Many organization will put vendor names
l.c
and technologies in job descriptions
This information will augment the discovery phase of the
ai
engagement
gm
Frequency The turnover of employees will usually be an
indication of the management style, working conditions,
1@
security funding, or political environment.
Frequency is not conclusive findings for all of the above, however,
89
it may be worth exploring in a scoping call.
Salary Range/Position Titles/Points of Contact Can assist
y6
122
Resumes
om
Can be a gold mine of information
l.c
Information about the target as well as the environment:
ai
Address Geo-locating purposes
Contact Information Data can be leveraged to find more
gm
sensitive information
Certifications Potential connections to professional
organizations 1@
Affiliations Connects target to organizations, both past and
89
present
Technologies per Environment Determine what security
y6
implemented 123
Technical Support Forums
om
IT personnel may post information online in an attempt to
l.c
solve a problem.
The information posted may be generic at first, but people
ai
tend to post more information if they do not get an answer
gm
that solves their issue.
Information found on technical support forums can include:
Code Snippets
1@
Technologies
89
Device Configurations
y6
Company Data
Password Protected Documents
br
124
Financial and Business Articles
om
Financial strength and company mission can be an indication
l.c
of IT spending priority.
Acquisitions usually indicate that different IT environments
ai
may have been merged.
gm
Often not perfectly implemented
Rule exceptions added
1@
Regulatory compliance will require specific device and
architecture configurations.
89
125
Blogs
om
Blogs usually contain ideas and stories specifically written
l.c
about a current thought, event, or research being conducted.
Employee blogs may contain information about current
ai
projects within the target company.
gm
Disgruntled employees will often post more information or
look for new jobs, divulging their experiences within previous
roles. 1@
Company-sponsored blogs usually specialize in the company
89
mission and are authored by senior people within the
organization.
y6
br
126
Social Media
Social Media can be used to identify individuals associated with the
om
customer and their interests.
Can be used target individuals for social engineering and spear
l.c
phishing campaigns.
ai
Social Media sites all serve different purposes and have different
gm
interactions. Three popular sites and can be used to gather various
types of information.
Facebook Posts tend be current events or situations.
1@
May include location data. (Facebook Places)
Twitter More of a stream of consciousness application. The pulse
89
of an employee.
May include location data. (Foursquare or similar)
y6
om
Email spools can often lead to a wealth of information.
l.c
Email information could include:
Competitive Intelligence
ai
Company Financials
gm
Potential Attack Vectors
om
theHarvester - Script designed for gathering e-mail accounts,
l.c
user names and hostnames/subdomains from different public
sources
ai
theharvester.py -d microsoft.com -l 500 -b google - Attempt to
gm
discover 500 Microsoft email addresses through Google
Cewl (Custom Word List Generator) Creates a wordlist by
1@
spidering a customers website
Can be used to aid in password cracking
89
y6
br
129
Tools That Aid and Automate Online Discovery & Analysis
om
Cree.py Downloads all pictures on Flickr or Twitter account,
l.c
parses the EXIF data and maps it onto a Google Maps
application. Useful for tracking users
ai
Note: Facebook strips EXIF data of pictures that are posted
gm
Maltego - Designed to automate many information gathering
tasks and transform one type of information into another
1@
For instance, find phone numbers associated with an address
There is a free version, but basically unusable for any real
89
assessment.
y6
br
130
Google Search Strategies
om
Google search strategies has become somewhat of an art form and can
l.c
be very powerful in extracting information on customers.
It can also be fantastically easy and quick to use.
ai
Targeted information can be derived by adding definition and operators
gm
to the search bar
Some operators that play a major role in providing definition to your
search:
1@
site:www.example.com Constrains a search specifically to the site listed
link:www.example.com Searches for sites linking to the site listed
Useful for identifying possible trust relationships.
89
intitle:car Searches for specified parameters in the title of the results.
Useful for identifying vulnerable servers, files with sensitive information, or login
y6
pages.
inurl:install.php - Searches for specified parameters in the URL of the results.
br
om
Google operators (cont.)
filetype:xls Searches for specific file types, often used in
l.c
conjunction with site:
Allows data mining of your target.
ai
Some example file types supported: pdf, ps, dwf, kml, kmz, xls, ppt, doc,
gm
rtf, swf
+ and - - Either specifically include normal stop words, or
specifically exclude a word in searches
1@
<phrase> - When searching, only show results with the specific
phrase
89
Many more - Refer to references for extensive guides
Organizations may have a custom Google Search Appliance on their
y6
network.
A Google Search Appliance is a custom server that is placed within an
br
organizations that will index and crawl all available data points within
an internal network. 133
Web Server analysis helps to identify if the appliance is present
Usually a treasure trove of information.
Google Advanced Search
om
l.c
ai
gm
1@
89
y6
br
134
Google Site Operator
om
l.c
ai
gm
1@
89
y6
br
135
Google Link Operator
om
l.c
ai
gm
1@
89
y6
br
136
Google Search Assistance Tools
om
Google Hacking Database is useful for coming up with search
l.c
parameters associated with sensitive information or
vulnerabilities.
ai
For a while, the GHDB was discontinued, however, it is now being
gm
maintained by the folks who run exploit-db.com
http://www.exploit-db.com/google-dorks/
1@
Provides examples of search terms that can be modified specific
to your client.
Sorted by categories including: Vulnerable Sites, Online Devices,
89
137
Google Search Assistance Tools
om
Searching through all the GHDB can be tedious
l.c
Wikto can help automate Google searched
Wikto includes much more functionality that just search assistance,
ai
including mirroring, fingerprinting, vulnerability identification and
gm
more
Sitedigger is another tool strictly focused on Google scanning
1@
Goolag was another tool to automate GHDB searches, but
appears offline now
SearchDiggity another tool to automate GHDB and BHDB searches
89
y6
br
138
GHDB Search Example
om
l.c
ai
gm
1@
89
y6
br
139
SearchDiggity Screenshot
om
l.c
ai
gm
1@
89
y6
br
140
Some Other Search Engines
om
General Purpose
l.c
Bing, Yahoo, Ask
ai
Jobs
gm
Careerbuilder, Monster, Indeed, LinkedIn
Foreign Search Engines
1@
Baidu - China, Yandex - Russia, Guruji - India
People Searches
89
Pipl, 123People, Whitepages, Spokeo, Zoominfo
Real Estate
y6
141
Information to Target
Data collection is key to this phase. Remember, the attacker will
om
leverage all information that can be found to penetration a network
environment.
l.c
Data points to look for:
Credentials Usernames or passwords may be stored in an
ai
accessible fashion.
gm
Email Addresses Will determine email address structure. Useful to
enumerate users as well as pull of a more successful social
engineering attempt.
1@
Files May contain sensitive data or metadata.
Geographic Information May help determine weak points in
89
security posture.
Financials Helps to determine spending ability, may yield insight
y6
into IT spending.
Users Social networking sites will often let an attacker enumerate a
br
om
Files on customer websites sometimes have information that
l.c
can be used in further phases of the assessment.
Instructions for accessing systems
ai
Procedures, training, human resources information
gm
File metadata can often have interesting information, such as:
1@
Author and Modifier Usernames
File Paths
Software Versions
89
Printer Details
Email Addresses
y6
Comments
br
143
File Analysis
om
Any downloaded files should be analyzed for metadata
l.c
leakage
Two tools can make this process easy:
ai
FOCA - Reads file metadata for a wide range of formats
gm
Tool has much more functionality including conducting custom
searches, fingerprinting servers and more
1@
Can analyze files without needing to download them
Metagoofil - Another tool that extracts metadata from files on a
89
customer website
y6
br
144
Analyzing File Metadata with FOCA
om
l.c
ai
gm
1@ Right-click in box
to add a local file
89
y6
br
145
Analyzing File Metadata with FOCA
om
l.c
ai
gm
1@
Right-click in box
89
again to extract
metadata
y6
br
146
Example Intel Gathering Methodology
om
Search Engine Discovery
l.c
Attempt to find all customer websites
Attempt to find affiliated sites
ai
Use GHDB searches to attempt to find sensitive information and
gm
potential vulnerabilities
Company Websites
1@
Conduct a cursory review of all discovered websites for
information that can be used in later stages of the assessment
89
Mirror discovered (and interesting) customer websites
y6
om
3rdParty websites
l.c
Search social media for information and usernames/email
addresses that could aid in a spear phishing campaign
ai
Search newsgroups, forums and email lists for information
gm
leakage and information that can be used in later stages of the
assessment
Files and file metadata 1@
Search files on customer websites for sensitive information
89
Analyze the metadata on all files identified for usernames, email
addresses, file paths, etc
y6
br
149
om
l.c
CODENAME: Samurai Skills
ai
Course
gm
1@
External Network Footprinting
89
Ninja-sec.com
y6
br
External Network Footprinting
om
Used to determine the extent of the customers Internet
l.c
reachable network presence through the use of online and
offline tools.
ai
Often also called Network Discovery.
gm
There are several methods to use to fully discover a
customers network presence.
1@
89
y6
br
151
Footprinting Methodology
om
Gather IP addresses of all publically identifiable client hosts
l.c
Using open source research.
ai
Tracerouting
gm
Used to gather information on networks and network paths
associated with customer hosts (ISPs, hosting providers, etc)
1@
Conduct lookups for registration (whois) records
Additional information can be located in registration records that
should be fed into further open source research.
89
y6
br
152
Footprinting Methodology
om
Conduct Border Gateway Protocol Autonomous System
l.c
Number (BGP ASN) record lookups.
Forward and reverse DNS lookups on all discovered domains
ai
and network ranges.
gm
Repeat steps until all associated hosts and network ranges
have been identified.
1@
Compile a list of all domain names, network ranges and ASNs
associated with the customer.
89
153
Gathering IP Addresses
om
One example using Centralops.net
l.c
ai
gm
1@
89
y6
br
154
Tracerouting
om
l.c
ai
gm
1@
89
y6
br
om
l.c
ai
gm
Associated
network range
1@
?
89
Organization
y6
name and
br
address
158
Registration Records
om
Information that can be further used for information gathering .
l.c
ai
Name,
gm
Email address and
Phone Number
1@
89
y6
br
159
Next Steps
om
Conduct reverse DNS lookups against all discovered network
l.c
ranges to identify additional hosts and domains associated
with customer.
ai
Conduct open source research against newly identified
gm
information.
Make sure to document all findings for later use.
1@
89
y6
br
168
om
l.c
CODENAME: Samurai Skills
ai
Course
gm
1@
DNS Enumeration
89
Ninja-Sec.com
y6
br
Domain Name Service (DNS)
om
Association of network human readable names to IP
l.c
addresses, or the reverse.
Hierarchal system of servers used to retrieve the IP address of
ai
any (correctly formatted) host name on the Internet.
gm
A number of security issues have been identified with its
implementation.
Uses UDP port 53.
1@
TCP port 53 is used for large transfers (greater than 512 bytes).
89
understand.
This topic will focus on the areas that are important for
br
Name Server / Domain Host - Servers that run the DNS services for
om
an organization.
Provides answers to queries for hosts within the domain or zone.
l.c
Conducts queries on external name servers on behalf of hosts in the
ai
domain.
DNS Resolver - A client that initiates a lookup request to a DNS
gm
server (i.e. your host)
Authoritative Name Server - A DNS server that provides answers to
1@
name queries for hosts within its zone
Recursive Name Server - A DNS server that performs all queries
89
necessary on behalf of a DNS resolver
Caching Name Server - A resolving DNS server that caches all
y6
br
y6
89
1@
gm
ai
l.c
om
172
DNS Transaction
om
1. Source host requests IP address of
l.c
destination hostname from local
DNS server. (www.example.com)
ai
2. Local DNS server requests
gm
authoritative DNS server for
destination domain.
(example.com)
1@ 3. Local DNS server requests IP
address of destination host from
89
authoritative DNS server. (X.X.X.X)
4. Local DNS server returns IP
y6
om
DNS records match a host name to an IP address and also
l.c
often identify the function of the device. There are quite a few
record types, but a few should be readily identifiable by pen
ai
testers.
gm
A record - Also known as a host record. Links a host name to
an IP address
1@
AAAA record - Returns a IPv6 address
NS record - Authoritative name server for the zone.
CNAME record - Alias to another name. The DNS lookup will
89
om
HINFO record - Optional information about the host.
l.c
SOA record - Provides information about the zone. Such as
primary name server, administrator email, etc
ai
PTR record - Links an IP address to a host name. Used in
gm
reverse DNS lookups.
TXT record - Used to provide optional information about the
1@
zone. Sometimes used to prevent email spam (although SPF
records should be used instead)
89
SRV record - Generalized record for services provided in the
zone. A host queries the zone for a specific service and is
y6
for example.
175
DNS Lookup Example
om
SPAM protection
l.c
ai
gm
Other netblocks
c
1@
89
y6
c
br
176
DNS Zone Transfers (AXFR)
om
Usually used for replicating records from one server in the
l.c
zone to another.
Can be abused by an outsider to gather network information.
ai
Zone transfers use TCP port 53.
gm
Often primary DNS servers will not allow zone transfers.
Backup DNS servers often are prone to misconfigurations.
1@
Make sure you check every DNS server in the network.
89
You should always remember to pipe the output of zone
transfers to a file.
y6
177
DNS Tools (Queries, Zone Transfers, etc)
om
Compile a list of all reachable DNS servers for the network /
l.c
zone.
All servers listed in NS records.
ai
Port scan all network ranges for UDP and TCP port 53.
gm
*nix host command.
1@
With the -l option Can be used to quickly check servers listed in
NS records for zone transfers
Ex: host -l
89
y6
br
178
DNS tools (Queries, Zone Transfers, etc)
om
*nix dig command
l.c
Allows for a bit more granularity when querying DNS records than
the host command
ai
Example dig command:
gm
dig @ 67.192.47.244 <DNS zone> <type>
@<nameserver> specifies the name server to use.
1@
<DNS zone> specifies the zone to query against (i.e. google.com)
<type> specifies the type of record to query for
89
any returns administrative information about domain / zone
mx returns mail servers for the domain / zone
y6
179
Zone Transfer With Dig
om
l.c
ai
gm
1@
89
y6
br
180
DNS tools (Queries, Zone Transfers, etc)
om
nslookup command (Windows and *nix)
l.c
Command for conducting DNS queries, and zone transfers on
Windows (can be used on *nix, but there are better commands
ai
available)
gm
Can either be used all on the command line, or in interactive
mode
1@
Interactive mode will return more details
Example nslookup command:
89
nslookup type=any <DNS zone> <server>
y6
br
181
Forward and Reverse DNS Grinding
om
Forward DNS Grinding: Attempting to discover additional
l.c
hostnames within a domain / zone through the use of custom
wordlists to do lookups.
ai
Reverse DNS Grinding: Attempting to discover hostnames
gm
from a given set of IP network ranges through reverse DNS
lookups against every IP.
1@
Several tools exist to conduct DNS enumeration, forward and
reverse grinding, although probably the best known is Fierce.
89
For a number of other tools, look in the Backtrack tool suite
under DNS Analysis.
y6
br
183
Forward and Reverse DNS Grinding
om
Fierce Domain Scan
l.c
Provides a large number of customization and performance
options
ai
To conduct forward DNS grinding using a wordlist:
gm
fierce.pl dns <domain> -wordlist <wordlist file> -file <output file>
<domain> - the domain / zone you want to scan
1@
<wordlist> - the file to use for forward DNS grinding
To conduct reverse DNS grinding:
89
fierce.pl range <network range> -dnsserver <server>
<network range> - the IP range to scan. use in the form 172.16.0-255.0-
y6
255
br
184
DNS Man in the Middle Attacks
om
DNS MITM (Spoofing) Attack: Listening for DNS requests to
l.c
specific sites an supplying the attackers address before the
distant end can respond.
ai
A DNS resolver will record the first response received, allowing
gm
a local attacker to beat the distant end in the response.
Known as a race condition.
1@
Generally used in conjunction with ARP Poisoning (covered
later), removing even the need for race conditions.
89
y6
br
185
DNS Man in the Middle Attacks
om
General Methodology:
l.c
Spoof the distant end server (generally a web server)
ai
ARP Poison the target host
Perform DNS spoofing for the distant end server
gm
Perform nefarious action against target (generally credential
stealing)
1@
NOTE: While maybe useful in penetration testing depending on
the activity, not generally an activity that would be performed
89
186
DNS Cache Poisoning
om
Replacing the correct address of a external hosts name (either
l.c
the authoritative name server or a single host) with an
attackers address in the stored cache of a DNS caching server.
ai
This attack targets:
gm
Flaws inherent in the DNS protocol.
Implementations of many DNS servers.
1@
Can be extremely difficult for an end-user to detect they are
being attacked.
89
187
DNSSEC
om
DNSEC (Secure DNS): Extensions to the DNS protocol that
l.c
provide for cryptographically signing DNS responses for origin
authentication.
ai
Designed to prevent DNS MITM attacks and cache poisoning
gm
attacks
Not currently widely deployed, so of fairly little significance to
penetration testers. 1@
89
y6
br
188
Domain Name Service- References
om
DNS Guides & Tutorials
Debian Guide: http://www.debianhelp.co.uk/dnsrecords.htm
l.c
Long Wikipedia Article:
ai
http://en.wikipedia.org/wiki/Domain_Name_System
Google Basic Guide to DNS:
gm
http://www.google.com/support/a/bin/answer.py?answer=48090#G
Zone Transfer Explanation:
1@
http://en.wikipedia.org/wiki/DNS_zone_transfer
SPF Explanation:
http://en.wikipedia.org/wiki/Sender_Policy_Framework
89
DNS Record Type:
y6
http://en.wikipedia.org/wiki/List_of_DNS_record_types
Using nslookup, dig and host:
br
http://docsrv.sco.com/NET_tcpip/dnsC.nslook.html
604
Using nslookup in Windows:
http://support.microsoft.com/kb/200525
Domain Name Service- References
om
DNS MITM Attacks:
Cain & Facebook example:
l.c
http://vishnuvalentino.com/computer/hacking-facebook-using-man-
in-the-middle-attack/
ai
Using Backtrack: http://dumb-answer.blogspot.com/2011/02/how-
gm
to-dns-spoofing-with-backtrack.html
DNS Cache Poisoning:
1@
http://en.wikipedia.org/wiki/DNS_cache_poisoning
DNSSEC Explanation:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Exte
89
nsions
Tools (online / offline)
y6
ai
Course
gm
1@
Mail Server Enumeration
89
Ninja-sec.com
y6
br
Interacting With Mail Servers During a Penetration Test
om
Generally a penetration tester may interact with a customers mail
servers in three different ways:
l.c
Attempting to identify valid user names and email addresses through
brute force enumeration (i.e. wordlists, etc)
ai
Sending spear-phishing emails into the customer organization through
gm
the mail servers
Less often, Interacting with client facing aspects of the server (OWA,
1@
POP3, IMAP, etc) through either direct login after harvesting
credentials, or possibly attempting to brute force passwords
Like many aspects conducting time limited pen tests, while there are
89
potentially many activities that could be used to assess a customers
mail services, the tester will need to pair down activities to what is
y6
manageable.
One effective technique may be to discover email addresses through
br
open source research, then verify them against the mail server and 190
enumerate further users
Enumerating Email Addresses through the Mail Server
om
Three primary SMTP methods are used to enumerate users on
l.c
a server:
EXPN Command: Used to expand information for a given email
ai
address. Often used to expand a mailing list. Probably the least
gm
reliable method as it is not supported in Microsoft Exchange
VRFY Command: Used to verify that a mailbox is available for
1@
delivery. As the potential for abuse is obvious, this command is
often turned off by default.
RCPT TO: Command: Identifies a message recipient. A much more
89
reliable method to use to enumerate users as it is difficult to
disable this functionality (it is the basis for identifying the
y6
recipient of a message).
br
om
Mail servers may be enumerated on the command line using
l.c
Telnet or NetCat. For large scale enumeration, this would not
be very effective.
ai
gm
1@
89
y6
br
192
Online Enumeration of Users
Individual email accounts can be enumerated online, providing
a measure of stealth. However, this would again not be very
effective on a large scale
om
l.c
ai
gm
1@
89
y6
br
om
smtp-user-enum.pl Perl script included in the backtrack suite
l.c
ai
gm
1@
89
y6
br
195
Enumeration of Users Using Automated Tools
om
Nmap NSE script smtp-enum-users.nse
l.c
Usage nmap --script smtp-enum-users.nse <script-args> <host>
Uses the userdb from Nmap, so custom dictionaries would need
ai
to be added to the default users file (no way to specify a specific
gm
file)
Users file is located in {Nmap directory}/nselib/data/usernames.lst
1@
Use --script-args smtp-enum-users.domain=<example.com> to
append domain names to email addresses (if not defined in the
89
wordlist)
Full example command:
y6
<IP Address>
196
Using Nmap SMTP User Enumeration Script
om
l.c
ai
gm
1@
89
y6
br
197
Dealing with Email Filtration Systems
om
When sending spear-phishing emails, either as the initial stage a
l.c
penetration or just to collect statistics, there are a number of email
filtration systems that could block your attempts, including:
ai
Sender Policy Framework (SPF) policies
gm
Domain Keys
Spamtraps
Rate limiting
Many, many others
1@
89
In general, a penetration test conducted in a limited timeframe does
not have the ability to attempt to evade Spam filtering mechanisms.
y6
om
Client mail services allow a local mail client to access a users
l.c
mailbox. Three primary types of client mail services include:
Post Office Protocol (POP) 3
ai
While not related to bruteforcing, it should be noted the POP3
gm
communicates in cleartext
Internet Message Access Protocol (IMAP)
1@
Proprietary protocols - Such as Microsoft Outlook and IBM Notes
Both POP3 and IMAP can be vulnerable to network password
89
cracking (covered later)
y6
200