telneting the SMTP server

Stuff that don´t fit in the other categories.
Post Reply
User avatar
isapiens
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 533
Joined: 05 May 2006, 16:00
15
Location: Turn around

telneting the SMTP server

Post by isapiens »

Hey guys, i was reading this tut on hackersthreads.com about how u can telnet your SMTP server, like smth.domain.com and get a basic greeting from a server. And then u can send a letter or smth through that if the server allows...
Does it work nowadays cuz i was not able to connect to anything. I type in windows "telnet smth.yahoo.com 25" and it says it cant connect. I was able to connect to old telnet sessions so i think i am doing the syntax right?

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
15
Location: Michigan USA
Contact:

SMTP

Post by DNR »

That is an old one, many SMTP servers are blocked to prevent spammers from spoofing off of them.

I still find a few though, usually they are small to large business networks. I used to spoof off this small computer company in a small town.

You'd telnet to port 25, the SMTP server would greet you with:

220 gnr.u2me3.com ESMTP Sendmail 8.9.3/8.9.3; Mon, 31 Jan 2006 01:45:38 -0500

Now you know the brand and version of the SMTP server, thats good for exploiting..

A good sysadmin will remove this banner..

Just like any protocol, you have to follow strict procedure:

You must type it correctly and you cannot backspace to correct errors.

Type in:

MAIL FROM: President@whitehouse.gov, hit enter

you might see :

250 President@Whitehouse.gov... Sender ok

Then type :

RCPT TO: DNR@gmail.com, hit enter

you might see:

250 DNR@gmail.com... Recipient ok

MANY SMTP servers will deny you at this point, why?
1. you are not a user of the network the SMTP serves, so you'll get

"Relaying denied" this is a simple filter. If you want to send spoofed email to a authorized user, it will work. This is why there are advanced filters to prevent spammers from getting on the network and spamming the users/employee'e email boxes.

IF you get "Recipient ok" then lets proceed.

Type :


DATA, hit enter

you might see:

354 Enter mail, end with "." on a line by itself

You can now compose your text email, in this case it will look like it came from President@whitehouse.gov and be sent to DNR@gmail.com.
After you write your message, on a line by itself, type a "."

You should see:
250 BAA07042 Message accepted for delivery

then type "Quit" so you show the sysadmin you know what you're doing :wink:

Keep the SMTP servers a secret, I lost the one in the small town because I gave it out to other friends :P

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
isapiens
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 533
Joined: 05 May 2006, 16:00
15
Location: Turn around

Post by isapiens »

Thanks DNR, i thought the answer is gonna be smth like that cuz it seemed way too easy to forge an email. But still it is good to know.
And thanks for the tip, i wont tell anyone, if i find one lol

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
15
Location: Michigan USA
Contact:

SMTP links, reading headers, sam spade

Post by DNR »

http://www.stern.nyu.edu/it/guides/smtp ... udora.html

http://www.ostrosoft.com/smtp_component/faq.asp

http://www.softheap.com/localsrv-localsrv-faq/

http://www.e-marketingassociates.com/ho ... q/smtp.asp

http://www.emailarms.com/faq/smtp_faq.html

http://c0vertl.tripod.com/digital.htm



Some junk to read on SMTP, lil POP, and no IMAP..

check out Samspade.org for their email parser.
Forged or suspicious email might have a warning in the _full_ email headers about 'maybe forged' , but some are false alarms. Most people do not view the full email headers, thus are fooled by the simple FROM: address.

In the case of Gmail.com, you will select "more options" link next to the sender's simple email address. Then you will select the link for "show Original" it will display the email in the SMTP version:

X-Gmail-Received: 91324be7b2455a95bef97317a57ec678943f69bb
Delivered-To: DNR@gmail.com
Received: by 10.64.179.16 with SMTP id b16cs46119qbf;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Received: by 10.54.153.16 with SMTP id a16mr2683614wre;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Return-Path: <Online.University+DNR=gmail.com@ajijj.com>
Received: from mail1.ajijj.com (i44-251.alfgl.com [200.62.44.251])
by mx.gmail.com with ESMTP id 15si464870wrl.2006.07.14.12.01.57;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of Online.University+DNR=gmail.com@ajijj.com designates 200.62.44.251 as permitted sender)
Message-Id: <44b7ea2c.4ebc1de7.1271.ffff8a27SMTPIN_ADDED@mx.gmail.com>
From: OnlineUniversity <Online.University+DNR=gmail.com@ajijj.com>
To: DNR@gmail.com
Subject: do you know which is the best online university?
Date: Fri, 14 Jul 2006 16:01:48 -0300
MIME-Version: 1.0
Content-Type: text/html

Viewing suspicious email in text form, like this is a good way to determine if the email is active script, like having HTML. Content-Type: tells you the content of the email, 'text-html'. This email contained advertisement, junk pictures that clog my bandwidth (all which contact a server and leak your IP/browser/other nfo).

Samspade's tools, like the email parser will do a lot of work for you, adding helpful comments, running DNS checks, warnings. Check out the same email header run through SamSpade's email parser:

07/15/06 10:38:00 Input
The Received: headers are the important ones to read

My comments are just hints, and should be considered only
an opinion. I may have guessed wrong, or things may have
changed since I was written

X-Gmail-Received: 91324be7b2455a95bef97317a57ec678943f69bb
Delivered-To: dnr@gmail.com
Received: by 10.64.179.16 with SMTP id b16cs46119qbf;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
This received header was added by your mailserver
10.64.179.16 received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)


Received: by 10.54.153.16 with SMTP id a16mr2683614wre;
Fri, 14 Jul 2006 12:02:04 -0700 (PDT)
10.54.153.16 received this, but doesn't tell us
where from.
(Without a from parameter it's hard to verify later
received headers. Treat with caution)


Return-Path:
<Online.University+dnr=gmail.com@ajijj.com>
Received: from mail1.ajijj.com (i44-251.alfgl.com
[200.62.44.251]) by mx.gmail.com with ESMTP id
15si464870wrl.2006.07.14.12.01.57; Fri, 14 Jul 2006
12:02:04 -0700 (PDT)
mx.gmail.com received this from someone claiming
to be mail1.ajijj.com
but really from 200.62.44.251(i44-251.alfgl.com)
All headers below may be forged


Received-SPF: pass (gmail.com: domain of
Online.University+dnr=gmail.com@ajijj.com
designates 200.62.44.251 as permitted sender)
Hmmm received-spf: isn't a header I recognise
Message-Id:
<44b7ea2c.4ebc1de7.1271.ffff8a27SMTPIN_ADDED@mx.gmail.com>
From: OnlineUniversity
<Online.University+dnr=gmail.com@ajijj.com>
To: dnr@gmail.com
Subject: do you know which is the best online university?
Date: Fri, 14 Jul 2006 16:01:48 -0300
MIME-Version: 1.0
Content-Type: text/html

All the above added comments are Steve Atkins, the creator of the app.

So not only was it easy to spoof email , but its easy to determine a suspicious one.

Set your email to text only.


DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

Post Reply