Hacking email addresses using zenmap, xhydra and a wordlist.

I have setup a rogue email account on a web server that i own a lease to. What we are going to do is find the IP address to the server that sends the mail, scan for open ports to mail services (Pop3 & SMTP) input the data into Hydra and in return bruteforce for the password.
 I have done this on many occasions as a security tester and what i have found is that MOST people use the same password for everything. That's why it's important to keep your email password exclusive. What i have found in 90% of the time is that people have everything linked to their main email address. Online banking, website registration and Facebook to name a few. All you have to do after gaining access to an important email account is a little detective work along with some "forgot password" forms and then you pretty must own the E-Identity. I'm going to show you how to prevent this from happening to yourself and your clients. 
Please note these are real hacking methods that are going to be tested on real servers. One of the IP's i'm going to release correlates to a godaddy hosted server, and even though anyone can find this i want to say i do not condone black hat hacking, nor do i advise anyone to use these methods for malicious use. Lets Get Started

www.brotherspropertymanagement.com will be our target for example.

In backtrack 5, Fire up a Terminal, Zenmap and Hydra-GTK.

ping the desired web server:

 we see a secureserver hostname along with the IP. Typically in this instance i would run a zenmap scan on it.

However no mail server is returned. This is a practical example of where we can be de-railed because the mail server is different from the one we scanned. but with a little research we can easily find the mail server AND SETTINGS on google using the hostname.

 We have found the link for email setup. You will only need to do this if the web server is hosted by a product like godaddy. In some situations the web server will include all services to run the website and some back end things like FTP,HTTP,POP,SMTP & MYSQL.
click the link

 Those are the settings. Now we see we have 2 options. pop.secureserver.net and smtpout.secureserver.net. Please keep this in mind, These 2 servers HOST ALL MAIL on godaddy websites. This is dangerous because if you really wanted to you could scan a range of godaddy ip's, visit the websites, copy the email addresses, make a list to bruteforce. This is why i strongly advise a secure password.
Lets choose SMTP. It's not encrypted, doesn't kick us off after a few attempts of password breaking AND ITS FAST, SUPER FAST.
ping smtpout.secureserver.net a few times and you will see the ip is different. it really doesn't matter so open Xhydra and configure like this:

single target: smtpout.secureserver.net (this is the mail server)
port: 25 (this is default unencrypted SMTP port)
protocol: smtp (simple mail transfer protocol)
as always check off show attempts.

on the passwords tab for username you always want the full user with the @domain.com in the end our user is
rogueaccount@brotherspropertymanagement.com
select your password list. refer to my Last Post on how to find a wordlist in backtrack.
Or Click Here for Wordlist

Goto the start tab and click start.

Then we have success. I will be remove the rogue account so you little bastards don't try any funny business.


RECAP:
1. Find Target
2. Find SMTP Mail Server
3. Input data to Hydra
4. Crack Away  






code SMRRARMWCNXT