1 00:00:06,740 --> 00:00:09,730 - Simple Mail Transport Protocol or SMTP 2 00:00:09,730 --> 00:00:11,720 is used to send email. 3 00:00:11,720 --> 00:00:12,980 Very common protocol. 4 00:00:12,980 --> 00:00:15,900 There are encrypted methods for sending emails. 5 00:00:15,900 --> 00:00:17,470 Today however, most mail servers 6 00:00:17,470 --> 00:00:21,080 will still listen on TCP/25. 7 00:00:21,080 --> 00:00:23,110 And you can connect to TCP/25. 8 00:00:23,110 --> 00:00:27,530 You simply telnet, IP or host name, space 25 9 00:00:27,530 --> 00:00:30,720 and you can start talking to an SMTP server. 10 00:00:30,720 --> 00:00:32,810 There are several verbs or commands 11 00:00:32,810 --> 00:00:36,580 that you can execute against an SMTP server 12 00:00:36,580 --> 00:00:40,290 such as EXPN, VRFY, RCPT TO. 13 00:00:40,290 --> 00:00:42,470 These three commands are listed specifically 14 00:00:42,470 --> 00:00:44,310 because they can be used to determine 15 00:00:44,310 --> 00:00:46,560 if a recipient is valid. 16 00:00:46,560 --> 00:00:49,520 Now, it may or may not work these days. 17 00:00:49,520 --> 00:00:52,160 Back in the late '90s, early 2000s, 18 00:00:52,160 --> 00:00:53,600 quite a bit more common 19 00:00:53,600 --> 00:00:57,130 to see execution of these verbs against mail servers 20 00:00:57,130 --> 00:01:00,870 in order to validate the existence of a user account. 21 00:01:00,870 --> 00:01:05,690 So if you did, for example, verify admin@example.com 22 00:01:05,690 --> 00:01:07,240 then it could tell you that, yeah, it's true. 23 00:01:07,240 --> 00:01:09,570 Now you have a username and you can, you know, 24 00:01:09,570 --> 00:01:12,830 whatever, brute force, but you know the username. 25 00:01:12,830 --> 00:01:16,220 We wanna call out a tool here, NetScanTools Pro 26 00:01:16,220 --> 00:01:19,840 available over at netscantools.com. 27 00:01:19,840 --> 00:01:21,440 It provides several features 28 00:01:21,440 --> 00:01:23,630 for interacting with SMTP servers. 29 00:01:23,630 --> 00:01:25,620 Take a look at that, play around with it. 30 00:01:25,620 --> 00:01:27,910 You can actually learn a lot about the protocols 31 00:01:27,910 --> 00:01:30,053 by looking at tools like this one. 32 00:01:31,070 --> 00:01:32,540 Now, I wanted to give you an example 33 00:01:32,540 --> 00:01:34,270 of how to spoof an email. 34 00:01:34,270 --> 00:01:36,200 I don't believe we talk about it in this course 35 00:01:36,200 --> 00:01:39,900 but it falls into this concept, to this discussion 36 00:01:39,900 --> 00:01:42,410 of connecting to an SMTP server 37 00:01:42,410 --> 00:01:44,070 and sending commands manually. 38 00:01:44,070 --> 00:01:47,090 So we had the verify command, for example. 39 00:01:47,090 --> 00:01:50,830 So in this example, I am connecting to an SMTP server 40 00:01:50,830 --> 00:01:53,130 and I'm sending the valid commands 41 00:01:53,130 --> 00:01:55,710 to send an email to a recipient. 42 00:01:55,710 --> 00:01:58,840 So let's run through what's happening here on the screen. 43 00:01:58,840 --> 00:02:00,710 Before we run through that though, I want to touch 44 00:02:00,710 --> 00:02:05,160 on a point, and that is the security of email servers today 45 00:02:05,160 --> 00:02:08,210 in the 2020s is quite a bit more advanced 46 00:02:08,210 --> 00:02:10,513 than it was, you know, 10, 20 years ago. 47 00:02:11,390 --> 00:02:15,130 Being able to do this, to spoof an email in this manner 48 00:02:15,130 --> 00:02:19,080 while it still does work, you can still connect to port 25 49 00:02:19,080 --> 00:02:22,130 or pretty much any email server out there, 50 00:02:22,130 --> 00:02:23,720 there's gonna be protections there. 51 00:02:23,720 --> 00:02:25,540 And we run into one of those protections here 52 00:02:25,540 --> 00:02:26,580 at the end of this example. 53 00:02:26,580 --> 00:02:28,690 So we'll talk about that when we get there. 54 00:02:28,690 --> 00:02:30,220 So let's start off. 55 00:02:30,220 --> 00:02:31,180 First thing we need to do 56 00:02:31,180 --> 00:02:33,870 is determine the mail exchanger for the domain. 57 00:02:33,870 --> 00:02:38,870 So I'm spoofing an email to a user@gmail.com. 58 00:02:39,030 --> 00:02:41,700 So we have dig MX gmail.com. 59 00:02:41,700 --> 00:02:44,240 Dig, we're gonna talk about here in about two slides. 60 00:02:44,240 --> 00:02:46,340 It's used for querying DNS servers. 61 00:02:46,340 --> 00:02:48,910 We need the MX record for the domain. 62 00:02:48,910 --> 00:02:52,630 I run dig MX gmail.com and it returns to me 63 00:02:52,630 --> 00:02:56,600 five valid mail exchangers for gmail.com. 64 00:02:56,600 --> 00:02:59,240 It's up to the client which one to connect to. 65 00:02:59,240 --> 00:03:01,580 In our example here, we are going to telnet 66 00:03:01,580 --> 00:03:04,840 to the final record, the one with priority five. 67 00:03:04,840 --> 00:03:07,970 We're gonna telnet to that name on port 25. 68 00:03:07,970 --> 00:03:12,023 It does the DNS resolution, we see 77..27. 69 00:03:13,410 --> 00:03:18,290 And right here, 220 MX ESMTP, GSMTP. 70 00:03:18,290 --> 00:03:20,760 We're ready to go, it'll sit there waiting for input. 71 00:03:20,760 --> 00:03:24,330 So we've opened a session to the SMTP service 72 00:03:24,330 --> 00:03:25,780 and it's waiting for our input. 73 00:03:25,780 --> 00:03:27,750 What command do you wanna execute? 74 00:03:27,750 --> 00:03:30,600 We start off with the hello and then an identifier. 75 00:03:30,600 --> 00:03:32,900 This identifier, in this case I use doe.com, 76 00:03:32,900 --> 00:03:34,620 could be anything. 77 00:03:34,620 --> 00:03:38,470 Next up, mail from and then we have colon 78 00:03:38,470 --> 00:03:41,450 and a less than symbol and then the email address 79 00:03:41,450 --> 00:03:45,680 where we are sending from, in this case, John@doe.com. 80 00:03:45,680 --> 00:03:47,790 Next up is receipt two. 81 00:03:47,790 --> 00:03:49,610 So this is who you are sending to. 82 00:03:49,610 --> 00:03:52,180 Now, you'll notice that there's a black space there, 83 00:03:52,180 --> 00:03:54,940 that's because there is an actual email address there 84 00:03:54,940 --> 00:03:56,690 and I don't want to reveal that. 85 00:03:56,690 --> 00:04:00,110 So receipt two, username@gmail.com. 86 00:04:00,110 --> 00:04:02,270 And it says, OK, this is important right here. 87 00:04:02,270 --> 00:04:05,083 So this OK that is indicated right here. 88 00:04:05,960 --> 00:04:08,280 Also on mail from we have an OK. 89 00:04:08,280 --> 00:04:12,090 It'll say syntax error in the case of Gmail 90 00:04:12,090 --> 00:04:14,190 but various mail servers may say other things. 91 00:04:14,190 --> 00:04:16,330 You're gonna wanna see that OK. 92 00:04:16,330 --> 00:04:19,960 The various mail clients are looking for the OK 93 00:04:19,960 --> 00:04:20,970 to move forward. 94 00:04:20,970 --> 00:04:23,610 Next up we send the word data and hit enter. 95 00:04:23,610 --> 00:04:26,770 Once we do that, the SMTP server is waiting 96 00:04:26,770 --> 00:04:29,570 for the actual contents of the email. 97 00:04:29,570 --> 00:04:31,140 If we're just sending plain text email, 98 00:04:31,140 --> 00:04:32,950 we can simply start typing. 99 00:04:32,950 --> 00:04:37,950 Now, you'll notice I send subject, colon, we need to talk. 100 00:04:38,130 --> 00:04:40,850 So subject with some words after it 101 00:04:40,850 --> 00:04:42,743 and then two carriage returns. 102 00:04:43,720 --> 00:04:45,950 The TP server knows that that is the subject 103 00:04:45,950 --> 00:04:48,050 and that is what will be displayed 104 00:04:48,050 --> 00:04:49,943 in the subject line for the email. 105 00:04:50,780 --> 00:04:52,560 Then we send the contents of our email. 106 00:04:52,560 --> 00:04:54,170 Here, I just sent never mind. 107 00:04:54,170 --> 00:04:56,370 We send a period on a line by itself. 108 00:04:56,370 --> 00:04:58,230 That concludes the email 109 00:04:58,230 --> 00:05:00,930 as far as the SMTP server is concerned. 110 00:05:00,930 --> 00:05:02,280 Now, I do have this error here. 111 00:05:02,280 --> 00:05:05,770 Our system has detected that this message is suspicious 112 00:05:05,770 --> 00:05:08,370 due to very low reputation of the sending IP. 113 00:05:08,370 --> 00:05:09,970 So I was sending this from my house 114 00:05:09,970 --> 00:05:13,920 and I don't send very many emails from my house. 115 00:05:13,920 --> 00:05:16,120 So low reputation, of course. 116 00:05:16,120 --> 00:05:18,190 So they did not expect this. 117 00:05:18,190 --> 00:05:22,310 So they are rate limiting me from sending future emails, 118 00:05:22,310 --> 00:05:23,480 at least for a period of time, 119 00:05:23,480 --> 00:05:25,783 until I can achieve a higher reputation. 120 00:05:26,860 --> 00:05:27,893 Which I never will. 121 00:05:28,730 --> 00:05:32,500 So this does work pretty much every email server out there. 122 00:05:32,500 --> 00:05:33,980 Still listens on port 25. 123 00:05:33,980 --> 00:05:35,970 You can talk to it and you can send commands. 124 00:05:35,970 --> 00:05:38,330 You might hit some roadblocks along the way, 125 00:05:38,330 --> 00:05:40,760 particularly if you're sending it from something 126 00:05:40,760 --> 00:05:43,823 that is not trusted on the internet. 127 00:05:44,730 --> 00:05:47,950 All right, next up domain name system enumeration. 128 00:05:47,950 --> 00:05:52,690 So DNS is used for translating names to IP addresses. 129 00:05:52,690 --> 00:05:55,480 Computers don't talk names, they talk numbers, right? 130 00:05:55,480 --> 00:05:58,600 So when you type in google.com in your browser, 131 00:05:58,600 --> 00:06:02,680 a request goes to a DNS server, gets translated to an IP, 132 00:06:02,680 --> 00:06:05,340 your browser will then tell the operating system 133 00:06:05,340 --> 00:06:08,220 I need to open a session to this IP. 134 00:06:08,220 --> 00:06:10,730 And, you know, on down the stack it goes. 135 00:06:10,730 --> 00:06:13,773 So DNS can be used to gather information as well. 136 00:06:14,970 --> 00:06:18,083 You know, building up your playbook of your target. 137 00:06:19,230 --> 00:06:20,290 Let's talk about DNS for a second. 138 00:06:20,290 --> 00:06:22,640 So we already talked, it does the translation. 139 00:06:22,640 --> 00:06:24,990 UDP port 53. 140 00:06:24,990 --> 00:06:27,790 There's a concept within DNS called zone transfer 141 00:06:27,790 --> 00:06:30,010 which is pretty hard to do these days. 142 00:06:30,010 --> 00:06:35,010 Similar to SMTP, the ability is usually turned off 143 00:06:35,220 --> 00:06:38,390 for running things like an SMDP verify. 144 00:06:38,390 --> 00:06:41,110 You're probably not gonna see that enabled very often. 145 00:06:41,110 --> 00:06:44,130 Similarly, zone transfers are usually disabled 146 00:06:44,130 --> 00:06:46,560 as a means of security. 147 00:06:46,560 --> 00:06:49,320 As I mentioned right here, zone transfer protected 148 00:06:49,320 --> 00:06:53,290 in modern name servers, meaning it's turned off by default. 149 00:06:53,290 --> 00:06:57,370 Here's an example of a zone transfer attempt. 150 00:06:57,370 --> 00:07:00,380 The capability is there, it's defined in the RFCs 151 00:07:00,380 --> 00:07:03,280 to be able to do zone transfers. 152 00:07:03,280 --> 00:07:06,480 So the commands that are out there such as on Windows, 153 00:07:06,480 --> 00:07:10,690 NS lookup, set type equal name server asdf.com. 154 00:07:10,690 --> 00:07:12,920 We get the authoritative name server. 155 00:07:12,920 --> 00:07:15,930 Switch to that name server with the server command. 156 00:07:15,930 --> 00:07:20,250 Set type to any, and then ls -d asdf.com 157 00:07:20,250 --> 00:07:22,470 will try to do a zone transfer. 158 00:07:22,470 --> 00:07:26,250 You notice here, bad error value because most DNS servers 159 00:07:26,250 --> 00:07:28,540 these days will turn that feature off. 160 00:07:28,540 --> 00:07:30,720 Now, here's an example of doing it with dig. 161 00:07:30,720 --> 00:07:34,070 Dig is a command for interacting with DNS servers 162 00:07:34,070 --> 00:07:37,220 that you commonly see installed on Linux systems. 163 00:07:37,220 --> 00:07:40,963 Dig stands for domain information groper, seriously. 164 00:07:42,010 --> 00:07:45,890 This is a zone transfer attempt, so dig NS apple.com. 165 00:07:45,890 --> 00:07:49,010 This will query for the authoritative name server 166 00:07:49,010 --> 00:07:50,590 for apple.com. 167 00:07:50,590 --> 00:07:55,590 We can see that NS is in server two.apple.com. 168 00:07:55,930 --> 00:07:58,330 And then we can run the dig with the options 169 00:07:58,330 --> 00:08:00,420 for a domain transfer. 170 00:08:00,420 --> 00:08:01,717 So we have dig axfr@, 171 00:08:03,450 --> 00:08:05,710 the at sign says I wanna send this request 172 00:08:05,710 --> 00:08:07,940 directly to this server. 173 00:08:07,940 --> 00:08:10,160 We're gonna send it to the authoritative name server 174 00:08:10,160 --> 00:08:13,267 for apple.com and then give it the domain apple.com. 175 00:08:14,270 --> 00:08:16,440 And we see here transfer failed. 176 00:08:16,440 --> 00:08:20,670 So again, finding a DNS server today 177 00:08:20,670 --> 00:08:24,923 that has zone transfer enabled is going to be difficult. 178 00:08:25,920 --> 00:08:29,880 However, somewhere on the internet there's a DNS server 179 00:08:29,880 --> 00:08:32,060 that's been up and running for 15, 20 years, 180 00:08:32,060 --> 00:08:34,350 it's doing its job, no one ever looks at it, 181 00:08:34,350 --> 00:08:37,230 and no one ever took the time to disable this functionality. 182 00:08:37,230 --> 00:08:40,720 If you are able to do a zone transfer successfully, 183 00:08:40,720 --> 00:08:42,780 there's a wealth of information in there. 184 00:08:42,780 --> 00:08:44,940 Every A record is going to be listed. 185 00:08:44,940 --> 00:08:47,090 That'll give you names of computers 186 00:08:47,090 --> 00:08:50,430 and other relevant information about your target. 187 00:08:50,430 --> 00:08:51,810 So attempt it. 188 00:08:51,810 --> 00:08:54,840 You might not be successful, but give it a shot. 189 00:08:54,840 --> 00:08:55,990 You might be surprised.