View Full Version : Another Forging E-mail tut

01-05-2008, 10:47 PM
.....where do i begin.......first off SMTP and ESMTP have NOTHING to do with POP*...

Simple Mail Transfer Protocal or SMTP is a mail protocal used to SEND mail. Post Office Protocal or POP(pop*) is a protocal used to receive mail. THis is a direct flow in SOME smtp server. Most open SMTP server with no authentication will be expoitable to this the exploit is easy as pie to pull off manually.

Step One - Find a open smtp server

This is the hardest part. and the best way to find ne, if you do not know of one off hand. DO a setwork scan with such tools as superscan or netscan. and scan for port 25 which is the standard SMTP tcp/ip port

Step Two - Connecting

once we have acquired a suitable system we then open up a telnet(start->run-> type "cmd" and click ok -> at black screen type"telnet [host name/ip] 25" and hit enter

Now lets break this down for those who are unaware of how telnet works. Telnet [Host/ip] 25
Telnet -obviously the command to open the telnet program
[host/ip] - this is where you place the ip address of host name of the system
25 - port 25 is the standard smtp port

Alternative way

start->run-> type "cmd" and hit enter-> at black screen type "telnet" -> at telnet> prompt type "connection"-> at "to" prompt type "[hostname/ip] 25" his enter

Step * - introducing yoruself to the system

once connect you should see sometihng along the lines of Code:

You should receive a reply like:
Trying ???.???.???.???...
Connected to [hostname].
Escape character is '^]'.
220 [hostname/ip] SMTP Sendmail ?version-number?;

Now we tell the system who "we" are. to do this we use the "HELO" command. Code:

HELO [something fake]

and the system will replay to you

250 [Target Host/Ip] Hello [Fkae Host/IP], pleased to meet you

no do not quote me on this because i am not sure if this works anymore. but one used ot be able to fool the header simple by using the correct host system...hence if your sending this mail to someone saying your "joe@fbi.gov" you wuld put

HELO www.fbi.gov

Step 4 - Sending the e-mail

Now is when we declare who we are sending the e-mail to, and who it will be from and also include the message

First we have to tell the system who we are by using the following command

MAIL FROM: mail@domain.ext

this is where you will put the fake e-mail addy, ther eiwll be a sligth pause or delay and you shoudl get replied back Code:

250 2.*.0 mail@domain.ext... Sender ok

Once again the mail@domain.ext would be the fake addy. Now we tell the system who we are sending this e-mail to

RCPT TO: mail@target.ext

the systemwill reply back to you

250 2.*.0 mail@target.ext... Recipient ok

Inut sebject Code:

Subject:-type subject here-

then hit enter twice to confirm it, once thi shappens you use the data command to start the e-mail. Code:

data [your text]

now to complete the letter you hit enter and in the blank line you type a single "." and hit enter. Now if done correctly you shoudl get Code:

250 2.0.0 ???????? Message accepted for delivery

now we just type "quot" and will get

22* 2.0.0 [Targethost] closing connection
Connection closed by foreign host.

Congrats you have just sent a forged e-mail.

Now fomr here the SMTP will send it over to the POP*, because it is comign from a "trusted" server the POP* shoudl self validate it and send it on through. So this hack is not hacking the pop* so much as just confusing it. See the POP* is made to accept e-mails that are validated.....the smtp with no authentiation is already a security risk in the first place.

What have we learned?

Forged E-mails are a exploit based off the SMTP server, because this SMP server validates the e-mail on it's end, the POP* doe snot knwo the difference.


01-06-2008, 08:53 PM
I covered most of this in my tut, but nice job anyway :D

01-07-2008, 10:53 AM
Yeah I saw your post, and Noticed alot of people were asking questions on a few things. So I decided to toss it up there.