Back in the good old days just about every mail server was running Sendmail. And Sendmail was littered with security holes. Nowadays Sendmail is pretty safe (yet a lot of people still have bad memories of it, and as such refuse to use it). The other common MTS is Microsoft Exchange. Other UNIX mail servers include qmail and smail. What vulnerabilities exist in SMTP gateways? If we assume that you are dealing with a rather new version of Sendmail it seems like SMTP is pretty safe (in terms of getting control over a server). Mailbombing...sure, getting root when one already have a shell - sure. But remotely - I don't think so. Would anyone find a nasty buffer overflow in MS Exchange it would probably be the next big thing. Anyone?
In terms of intelligence gathering SMTP can provide you with some interesting stuff - EXPN and VRFY have been discussed in depth in the examples - lets not go there again. Mail spamming - well its not really hacking now is it?
SMTP can also be used to discover the soft insides of networks by sending a "bounce" message. Such a message is a message that is addressed to a user that does not exists. The mail will travel all the way to the most internal mail server who will then reply to you stating that the user is not known. By looking at the returned mail's STMP header would you gain some useful information about the mail path, and thus the internal network. Let us look at an example. We want to see the SMTP path of the domain nedcor.co.za. We send email to klasiedewaal@nedcor.co.za (we suspect there wont be such a user at the domain), with body text: "Hi bud - got your email address form Amy - if you receive this in good order, write back to me. Your friend, Roelof". Obviously the idea is not the make the "bounce" message look suspect. Now, let us look at the listed MX records for the domain:
/# host -t mx nedcor.co.za
nedcor.co.za mail is handled (pri=10) by mailmarshall-1.hosting.co.za
nedcor.co.za mail is handled (pri=10) by mailmarshall-2.hosting.co.za
nedcor.co.za mail is handled (pri=50) by prometheus.nedcor.co.za
The SMTP returned mail header looks like this:
Received: from prometheus_old.nedcor.co.za ([196.36.217.137])
by wips.sensepost.com (8.9.3/8.9.3) with SMTP id WAA18570
for
(envelope-from )
Received: FROM ARES.it.nednet.co.za BY prometheus_old.nedcor.co.za ; Sun
Sep 10 22:43:09 2000 +0200
Received: by ares.it.nednet.co.za with Internet Mail Service (5.5.2650.21)
id
Message-ID: <35D6C187048AD311882F00805FD7EDE402F57314@ares.it.nednet.co.za>
We learn from this header that mail "terminates" at ares.it.nednet.co.za. From there it hops to prometheus_old.nedcor.co.za. This is interesting as both these machines are not resolvable from the Internet, and should therefore be considered as "internal".
No comments:
Post a Comment
hacking tools