The recent spike in security breaches resulting from meticulously planned and executed spear phishing attacks may have forced email administrators to start thinking of topics that they may never have considered previously, such as the repercussion of a hacked Exchange Server account, or the reasons why hackers would be interested in attacking your email server.  Indeed, you may have already read Securing Your Microsoft Exchange 2010 Server, and have duly implemented the various hardening measures that I’ve linked to in that article.

Moving ahead though, you may be wondering if your Exchange Server is truly protected against malicious attacks.  Beyond waiting for a hacker to successfully break in, is there anything that the diligent administrator can do to reduce the chances of a successful break in?  I had the opportunity to attend an EC-Council Certified Ethical Hacker course recently, and one indelible lesson I gained would be how proper penetration tests can facilitate better security.  The rationale is simple – if you can break in, then so can hackers.  Today, I want to highlight some very simple penetration testing strategies that cash-strapped businesses can perform on their Exchange Servers to get a better pulse on their security readiness.

Obviously, permission must first be obtained from the relevant management prior to any penetration testing – preferably in writing.  Also, the usual caveat emptor about the dangers of tinkering with malware applies; there is also the very real possibility of Trojans hidden within typical tools used by hackers.  Finally, I would strongly advocate hiring a properly qualified and professional penetration team, which has the added benefit of a detailed report on any findings with recommendations for improvements.

Port scan

One of the simplest ways to establish the presence of malware or illicit server software would be to do a port scan on your Exchange Server.  While simplistic, this is nevertheless one of the first steps that a hacker will perform when targeting your organization, and could potentially reveal flawed configurations or the presence of unwanted (and forgotten) software services.

An extension of this idea would be to scan for the presence of SMTP (Port 25) listeners on your internal network, the presence of which could indicate the presence of unauthorized software or zombie computers running spamming software.  A basic and very well-known network and security scanner would be the free NMap, though many commercial variants exist that are capable of more detailed scans such as detecting common misconfigurations.

Sending malware to yourself

An easy way to test the capability of one’s malware filter or gateway antivirus scanner would be to deliberately send malware to an account on your server.  This may range from executable files, hiding them within archives, or malformed PDF files or Word documents – you essentially employ the same tricks that spammers and hackers are known to use.  Obviously, administrators should take pains to send infected email attachments only to unused accounts or one that has been set aside for the purpose of testing.

It should also be noted  that many of the recent attacks rely more on phishing or social engineering that push users into clicking a link to a malware-laden website as opposed to sending malware as an email attachment.

Brute Force Password Hacking

A brute force password attack entails repeatedly logging into an account with various combinations of passwords, and is a strategy employed by hackers looking for soft targets on the Internet.  Unlike cracking an actual password hash file or database, attempting to break in via brute forcing the password as part of a penetration test is a lower risk proposition, and viable if care is taken not to disrupt the access of legitimate users.

Moreover, this is a good way of weeding out easy-to-guess passwords that may be used by some employees, and is an activity that be conducted when server and network utilization is lower (such as over the weekend or overnight).  Dictionary files in your company’s native language can be compiled relatively easily, or downloaded from various repositories on the Internet.  Finally, there is no need to find a tool dedicated to breaking into Exchange Server either, since any password brute force tool that supports POP or IMAP can be made to work.

Are you aware of any simple penetration testing strategies that can be used to test the robustness of an Exchange Server deployment?  Feel free to highlight them in the comments section below.