Documents about the SMTP Protocol Sendmail Tutorial version 1.1 - (UGW Securtiy information Base) First: We are not trying to train Hackers of voilence and illegality ;) We are just a "project" that tries to teach you, the readers how Security holes work. The first Tuts will go around the rootes (read them to understand everything) further then we'll discuss the more complex topics. As soon as you see "Word(1/2/3 /....)" you will find a explenation at the end of the text. Disclaimer: These informations are for legal use only. They are for the educational use and explain how things work they don't tell/ask you to do this!! We to take no responsibility for any illegal activities! So if you want to learn and don't want illegal activities you are welcome to read and understand! Index: 01.-Introduction 02.-Fake Mails? 03.-How to send Fake Mails 04.-More Commands? 05.-How can I see that I get a fake mail? 06.-Hmm how can I see if an email exists? 07.-Send a realistic Fake Mail? 08.-Nice tip i discouvered 09.-Something you should remember and know! 10.-Hacking threw Sendmail? 11.-Where can I find exploits? 12.- How to attach a file to the mail Sendmail: ~~~~~~~~~ Sendmail is a Daemon(1) that sends mails (in addition please Pop3 Tutorial that recieves the mails) from it can actually be defined as the most unsecure Daemon ever! And more error's and exploits get public! To see whether your Sendmail Daemon a safety problem connect on Port(2) 25 "telnet domain.de 25" please if it's your Sendmail daemon and has not been deplaced to a nother port). Something like: "Connected to domain.de. Escape character is '^]'. 220 domain.der ESMTP Sendmail 8.9.3/8.9.3; Wed, 4 August 1999 16:23:42 +0200 SMTP is for Simple Mail Transfer Protocol" should appear. The E between stands for "Extented" these informations are EXTREME important on the basic the version (8.9.3) you can find Exploits. (use the addresses at the end of this article) (to thus always update). Fake Mails?: ~~~~~~~~~~ Yeah! It is very very easy basically and you will know after reading this how to send a Faik Mail. Normal programs like outloooooooock and stuff do the same..! They just use following commands! So ofcourse you can use these commands manually.. just go on reading! How to send Fake Mails: ~~~~~~~~~~~~~~~~~~~~~~~ Then over now to Fake Mail. To send a Fake Mail type (while connected on the smtp server 25) "helo domain.de" (return) "mail from: blahhhh@domain.de" (return) then "rcpt to: then superuser@domain.dex27 (return) "data" (return) then your contents e.g.: hahaha you are a looser (end with a Return and a "." and another Return). to disconnect you can type "quit". Commands: ~~~~~~~~~ To still get more informations type "help dsn" or "help". Like by typing "Help" you will get this: 214-This is Sendmail version 8.9.3 214-Topics: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB ETRN DSN 214-For more info use "HELP ". 214 End of HELP info You should check all commands and understand them so you will get more into this...! How can I see that I get a fake mail?: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are two ways: 1. (this won't always Work I'll explain why) If you get a mail from hmm@ahh.net you can try to connect to ahh.net and see if port 25 is open if not i couldn't actually be send threw their server right? Another way vrfy the user(see below: Hmm how can I see if an email exists?:) 2. Well when you recieve a mail you get the header with it right? right! Well look at it and you will see a line like: Recieved from: mail.com so if the sender is fake@asd.de net it's a fake since the real mail would have come from fake@mail.com so it would say: Recieved from: mail.com understood? Good... so you might think verry easy so fake mails are able to be discovered but can I fake them realistic? Hmm how can I see if an email exists?: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Verry easy actually bye reading all the commands ¶;) you saw this "vrfy" right?! Yeah this command is used when you send a mail to let us say RCornder@isp.net. You know when you get this emails blablabla user doesn't exist? Thats it you client smtp server checked it and found out that the user you requested doesn't exist ;) So to very do this: vrfy name@mail-isp.net Send a realistic Fake Mail?: ~~~~~~~~~~~~~~~~~~~~ Well you will have to send the mail from the hostnames smtp server so if you want to let the mail look as if it was send from hidiho.com you will have to connect to hidihoc.com Port 25 and send the mail from them if its a isp you could even use their connection. So letz say you want to send a mail from germany.net you do this: 1) Since it is a isp and you can use call-by-call (don't have to make a contract they will set the bill on your telephonebill) dial-up. Like say they the call-by-call number is 06457-451235 make a connection over there number, connect to there domain which is germany.net at port 25 helo germany.net go on writing the mail and you will send a realistic looking fake. Since whoising the IP will show germany.net and the recieve line will show germany.net too! Nice tip i discouvered: ~~~~~~~~~~~~~~~~ There are firms that have staff mail service. This means if you send a mail to staff@firm.com all people on firm.com will get the mail... and you the sender get a copy!!! So I don't know if this trick works on all server BUT: As I started playing around with fake mails I had a appreantaship at a Firm you know this thing from school like "Test the job you want" for 3 Weeks in a security firm. As they heard and saw I was starting in that scene they said: "Try to find something unsecure on our server" and I did! ;) As I thought I wanted to send a faik mail to all users so I created a fake mail from: staff@firm.com to staff@firm.com since it was late and we all left I didn't see what happened but what I should see next morning was great fun!!! Everybody had like 10000 Mails in there Inbox ;))) since the mail from staff@firm.com was send to staff@firm.com all and all over again a loop was created which didn't stop and went on all night till the server crashed! So this is verry theoretically since I didn't try it but my solution is to delete the function to send the copy of the mail to the sender... Something you should remember and know!: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Never forget giving you smtp server a "helo hostname.com" otherwise you will get a error like X-Authentication-Warning: ...... didn't use helo this does definetly mean you have a faik mail! And something you should know in the line Recieved from: you will see a IP by whoising it you will get the ISP of user (accept he is using a proxy or other crap (wingate and such) Hacking threw Sendmail?: ~~~~~~~~~~~~~~~~~~~ Yeah you can Hack a server threw smtp! To do this you will have to get the version of the smtp server which you will find on the daemon banner remember?: "Connected to domain.de. Escape character is '^]'. 220 domain.der ESMTP Sendmail 8.9.3/8.9.3; Wed, 4 August 1999 16:23:42 +0200 SMTP is for Simple Mail Transfer Protocol" but you can fake a daemon banner so you will have to do this to: remeber the help command? 214-This is Sendmail version 8.9.3 214-Topics: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB ETRN DSN 214-For more info use "HELP ". 214 End of HELP info In the first line you see the version and by sending yourself an email you get it in the Recieve line!(you recognize that the Recieve line is my favorite actually since you retrieve most infos out of it..). Now since you have the version look for an exploit and hack it! How to use exploits? Well just search for one and you will get a explination like I will just show you one: Sendmail up to recent 8.9.x versions - any user may pass -bi parameter to /usr/sbin/sendmail. This will result in aliases database rebuild. IMHO there's no reason to allow such things, but no matter - something rather stupid is done during rebuild: 5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6 What a bad luck! There's approx 0.1 sec delay due to /etc/aliases processing (on my system). Meantime, luser might deliver any signals to sendmail process... SIGKILL is quite good. After that, /etc/aliases.db will be left in unusable state (no EOF marker), causing DoS: 220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself 451 Cannot open hash database /etc/aliases: Invalid argument rcpt to: lcamtuf 503 Need MAIL before RCPT Exploit is trivial. ______________________________________________________________________ _ MichalZalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] I got this from packetstorm.securify.com so if you have a version just search for Sendmail version [Versio number] so for 8.8.8 you would to this Sendmail version 8.8.8 ok? Here some more pages where you'll find Exploits or Bugs: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - http://www.securityfocus.com - http://www.netspace.org (BugTraq for new bug mail me (ugw-mail@gmx.de) - http://www.hackersclub.com - http://www.sendmail.org - http://www.securitywriters.org/ How to attach a file to the mail: ~~~~~~~~~~~~~~~~~~~~~~~ (addition from TCL) You ever faked an email and wanted to attache a file to it? like a funny picture or something like that? well, im gonna teach u how to do it! sending files through emails is usually done with UUencoding (Unix-to-Unix). it takes a file and turns it into ASCII (regular characters). Windows users only need winzip (u got it right? if not download it fron winzip.com) make a new archive that contains the file that u want to send then do Shift+U. winzip will create a file named filename.uue open the file with Notepad and copy everything. unix users can do: uuencode myfile.txt myfile.uue after open myfile.uue with pico/vi etc' and copy everything in it then start faking your email and after u get to DATA paste the whole thing after u wrote your letter but before writing the '.' enjoy! and dont send any viruses! TCL Daemon (3): Well just to cut this topic: a service that is computer automated and takes Commands to execute them automated I hope we could you help in this case I (Dead_Beat). Have fun to try things out. Credits: by Deat Beat Questions or suggestions too ugw-mail@gmx.de Have Phun Visits us: http://www.undergroundworld.de.vu