top of page
Search
  • Writer's pictureotw

Network Basics for Hackers, Part 5: Simple Mail Transport Protocol (SMTP)

Updated: Feb 15, 2023

Welcome back, my aspiring cyberwarriors!


In this series, Network Basics for Hackers, we explore the structure, operation and vulnerabilities of the major network protocols. In this way, the aspiring hacker/pentester/cyberwarrior will hopefully gain insight into not only it's operation but also its vulnerabilities.





In this segment of this series, we will examine the Simple Mail Transport Protocol (SMTP), the protocol most of us could not live without!


What is SMTP?


Simple Mail Transport protocol or SMTP as it is commonly known is among the most important protocols in our digital age. It is used to transfer email from one user to another. Although SMTP was first codified in 1983, it is still this same protocol that carries nearly all emails with some enhancements.

.


As the diagram above displays, the client Ana@maildomain-abc.com sends an email to the MTU server via SMTP and retrieves email via either POP3 or IMAP. The same is true for the other client, Lav@maildomain-xyz.com. Communication between the email servers or MTU's is exclusively SMTP on port 25. POP3 uses port 110 and IMAP uses port 143.


The Email Processing Model


First, email is submitted by a email client or mail user agent (MUA) such as Microsoft Outlook, Mozilla, etc. to the email server (mail server agent or MSA) using SMTP on port 587. This email is then transferred to the MTU. Most often, these two agents (MUA and MTU) are the same system managed by a single piece of software.


The boundary MTA uses DNS to look up the MX record of the recipient's domain (see DNS). This record includes the name of the target MTA. We can demonstrate this with the dig command.




The MTA then selects the target host, connects to it and sends the message.


Once the server receives the incoming message, it hands it to a mail delivery agent (MDA) for delivery to local recipient. Once the message is delivered to the local mail server, the email is stored for retrieval by an authenticated MUA.


Types of MTU's


There are multiple mail transfer units used on various systems. In Linux, the major players are sendmail, EXIM, and postfix. On Microsoft operating system, the major player is Microsoft's Exchange Server


Packet-Level Analysis with Wireshark


When we capture packets going to a SMTP server, it looks something like that below.




Note that in packets 1-3, an outside client is completing a TCP three-way handshake. In packet 4, the SMTP server identifies itself as "mail01" and a Postfix server on Ubuntu and begins using the SMTP protocol for communication. In packet 5, the client issues the EHLO command initiating communication. In packet 8, the client identifies the email sender and in packet 10, the email receiver.


Setting Up an SMTP (EXIM4) Server in Linux


Let's now setup a SMTP server in our Kali Linux. In this case, we'll install exim4, the most widely used email server on Linux systems.


We can download exim4 from the Kali repository.


kali > sudo apt install exim4




Next, we need to execute a configuration wizard that walks us through the configuration of the exim4 server.


kali > sudo dpkg-reconfigure exim4-config


This starts a configuration wizard that queries us for information to configure the email server.


The first question is the type of mail server. If you want to setup your server to send and receive email across the Internet, select the first choice.

Next, you need to provide a domain name that you own. In my case, I used www.hackers-arise.com.


Next, we need to provide the IP address for the server to listen.


Here, we need to provide a list of recipient domains or local domains. The default is Kali and I left that in place.

Next, we need to provide a list of recipient domains that this system will relay mail. It is OK to leave it blank.

Next, we need to select the delivery method for local mail. We can choose between the mbox format of /var/mail or the home directory.

Next, we are queried regarding the DNS queries. If we want to minimize the DNS lookups select YES.

Next, select the domains to relay mail for. You can leave it blank.

Finally, we need to select whether to split the configuration file for the exim4. Unsplit is more stable while split makes it easier to make changes. I selected unsplit or NO.

Now, we only need to start our exim4 server and our email server is activated and ready to send and receive email!




Vulnerabilities in SMTP


Last year has been marked by a major vulnerability found in Microsoft Exchange Server, presumably by Chinese hackers. These vulnerabilities enabled these hackers to access many large corporations and institutions email records. The impact of this hack was so large and serious that the FBI was given authorization to patch Exchange Server systems throughout the US.



You can see the vulnerabilities below.

In addition, in 2020, exim email servers had two severe vulnerabilities that allowed unauthorized access of email stored on these servers.



Recon and Hacking SMTP


Before attempting any exploit, the first step is to do proper reconnaissance. nmap is the tool of choice for port scanning. let's scan our SMTP service to see what ports and services are running.


We can do a TCP scan on port 25 (the default SMTP port) with nmap and include the -A switch to attempt to determine the service running on that port, such as;


kali > nmap -sT -A 192.168.56.103 -p25

As you can see above, nmap found port 25 open and running Exim 4.68.


The determine any potential vulnerabilities on that SMTP server, we might use nmap scripts. To run all the nmap scripts for SMTP, we can use the --script=smtp-* option where the wildcard (*) means run all the scripts in the smtp category.


nmap --script=smtp-* 192.168.56.103 -p 25

As you can see above, the smtp nmap scripts were able to enumerate multiple users (these users can then be targeted with social engineering attacks) and find that the server is vulnerable to the cve-2010-4344 and CVE-2010-4345 exploits.



Next, let's see whether we can find these exploits in Metasploit. Fire up Metasploit by entering;


kali > msfconsole


Now, let's search for Exam exploits by using the search function.


msf5 > search type:exploits exim


As you can see in the screenshot above, Metasploit has multiple Exim exploits. Let's try the exploit/unix/smtp/exim4_string_format exploit.


First , let load the exploit using the use command.


msf5> use exploit/unix/smtp/exim4_string_format



Before we progress further, let's learn more about this exploit by entering ïnfo".


kali > info

As you can above, this module exploits a heap buffer overflow. In addition, if it detects a Perl interpreter, it will automatically escalate privileges from a regular user to root.


Then, let's set the RHOSTS parameter with the target system's IP address. With the RHOSTS set, next set the PAYLOAD. In this case, let's use cmd/unix/reverse_perl. This payload will open a command shell on the target machine using Perl (most Unix like systems have Perl installed by default) that will call back to our attack system if successful.


Lastly, we need only to set the LHOST and the LPORT. Let's set the LPORT 443 so that it uses commonly open port for HTTPS traffic. Often, by using this port, this exfiltration will go unnoticed.


The only step left is to run exploit


msf5> exploit

As you can see above, the exploit worked and gave us a command shell in session 1!


Unlike when we exploit a Windows system, when we grab a command shell on Linux systems, we do not get a command prompt but rather an empty line. To test whether we are actually on the Linux SMTP server, we can enter Linux commands and check for the response. In this case, let's run a few common Linux commands such as id, whoami, pwd, uname -a.

As you can see above, the system responding by informing us that user is uid=0 or root, the present working directory is /var/spool/exim4 and the uname is Linux mailserver01.


Summary


Email service or Simple Mail Transport Protocol (SMTP) is one of the most critical services in our digital age. It is also one of the most highly targeted services as it contains confidential and key information. It is critical that this service be properly configured to prevent unauthorized access to this crucial data source.




8,019 views3 comments

Recent Posts

See All

3 Comments


astriddavina54
astriddavina54
Jan 03, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and on whatsapp him on +1262-236-7526...


Like

Hi everyone... I am Mike Luciano and I’m so addicted to winning the lottery. I’ve just scooped my FOURTH jackpot of $1million – taking my total winnings to $4.6million through the help of one legit spell caster named Dr Amber. My first ever win was $100,000. Last year, I won $500,000 from the Pennsylvania state lottery and I also won $3 million in 2016 bringing the grand total of my winnings to $4.6 million. All my winnings have been made possible with the numbers given to me by Dr Amber. I've been so blessed, winning big three times in my lifetime. His spell casting is unique and safe unlike some fake spell casters that are just after your money without…

Like

You can hire Henryclarkethicalhacker for all your hacking needs which include clearing of criminal and driving records, credit hack fix, college grade changes, cloning phones, spying on anyone, hacking all social media accounts, etc,. Reach him via Henryclarkethicalhacker at gmail com

Text him,, Whatsapp,,+1 8 1 3 4 2 1 1 3 2 6.


Like
bottom of page