Monday, July 11, 2011

HOW TO: Send Messages via UnAuthenticated SMTP Server

Email Server Hunting with NSLookup:
OK so I have showed you how to perform password profiling, and how to get cracking locally and over the network, but some of you keep asking how you find the mail servers to attack. If the FQDN or IP address is unknown, the easiest way to find this information is to use the Nslookup command-line tool to find the MX record for the destination domain. You can try various web scanners to find it or you can simply open a command prompt and type the following:
  • nslookup
  • set type=MX
  • <enter site name>
  • nslookup type=MX <target IP or site name>
NOTE: if it seems to timeout or false results you can adjust timing by using "set timeout 20" between step 2 and step 3 above, since the default is set to only 15 seconds.
This will begin to send DNS queries for the MX or mail exchange records. You will find this will give you an output that tells you which mail servers are registered by your target site. Note the first line after "Non-authoritative answer". The "MX preference" specifies which mail server to use and in which order. The lower the number, the more preferred the mail server is. If the preferences for each mail server are the same, you can use any them.
OK, so you found the email server...what now? We can fire up Hydra and start trying to bruteforce the passwords for any known emails (follow previous tutorials for this part), but before we do lets see how secure it really is. Keep the console open for another minute and let us see if we can use Telnet to log into the SMTP server, if we can get in we will then see if we can send a message without any authenticated credentials. Here is how we use Telnet on Port 25 to test SMTP communication from command line:
  • Telnet
  • localecho
This will let us view all of the characters typed as we type them in the console (localecho not always required but I find it helpful on older systems-XP)
  • open <smtp server ip/name found above> 25

This will open telnet session between our machine and remote ip/server on port 25 (port 25 is default port for SMTP; you may need to change to fit your situation)
  • EHLO <ip/>

EHLO is the Extended Simple Message Transfer Protocol (ESMTP) verb and can help to establish the remote SMTP capabilities during the initial connection
  • MAIL
This defines who email will be sent from (helps to use valid email to avoid errors on some setups or in case the receiver is undeliverable)
  • RCPT NOTIFY=success,failure
The NOTIFY is optional but can be helpful as it will cause the server to provide a message to let us know whether it worked or not. A message number of 500 means there was a failure or error, while 220 means it was a success
You will receive a 354 response that resembles the following:
      "Copy Code 354 Start mail input; end with <CLRF>.<CLRF>"
  • Subject: <Subject Title/Name>
This defines the subject line of email message, now hit ENTER to add a blank line. We need to have a blank line between the Subject header line and the Body of email to avoid errors
  • Type your message ENTER when done
This defines the body of the email message to be sent
  • Just press ENTER again
  • . (Type a Period)
This should end the message and let it know we are ready to send. You should see a message similar to this:
    "Copy Code 250 2.6.0 <GUID> Queued mail for delivery"
That is it, you just sent a SMTP email message without any authentication required! You can repeat as necessary or you can type QUIT to disconnect from the SMTP server, which should give you a message like this:
     "Copy Code 221 2.0.0 Service closing transmission channel."
You can then type QUIT once more to close Telnet session.
Note:You can't use the backspace key after you have connected to the destination SMTP server within the Telnet session. If you make a mistake as you type an SMTP command, you must press ENTER and then type the command again from scratch once more.

No comments:

Post a Comment