<<< Date Index >>>     <<< Thread Index >>>

Enumeration of AS/400 users and their status via POP3



Enumeration of AS/400 users and their status via POP3

Overview
------------
The POP3 service is installed on all modern AS/400 
and iSeries servers, and is turned on by default, 
even in cases when email serving was not set up. 

To access a POP3 server, you must authenticate and 
provide a user and a password. Unfortunately, 
the POP3 users represent real AS/400 user profiles, 
POP3 will authenticate any valid user profile, 
and the service provides too much information during 
authentication.

The status messages POP3 displays are:

No user found
Good user, password not correct for user profile
Good user, bur user profile is disabled
Good user, but password for user profile has expired
Good user, but no password associated with user profile
Good password, good user

The unsuccessful attempts are logged only in the security
audit log, and only if the audit log is turned on.

There is no security exit program protecting the POP3 server.

A phonebook attack can probably enumerate most of the users,
giving the attacker a vector for a social engineering session.

For full details please read the article found at 
http://www.venera.com/downloads.htm