We could spin up an email server off a typo-squat to send our spoofed emails… OR!!! We could hack their email server and use it to send our phishes for us!

Let’s hack their server.

(grumbles something about violation of CFAA something something non-extradition country something something Tor dark tubes...)

Email Phish Attack Vectors

There are three general attack vectors to sending email phishes: open relays, external email servers using malicious domain names, and utilizing the target’s own email servers to send internal emails.

Open Relays - are email servers that let you send from any domain to any domain. There aren’t a lot of public ones, but you can find lists on the opaque web. Many of them are blocked by primitive black lists and filters, so we’ll ignore them for our purposes.

External Email Servers - are just servers that we set up on our own and attach them to domain names that we’ve created. Those domain names could be official and trustworthy sounding (e.g. securemail.example) or a typo squat that looks similar to our target’s domain. We’ll cover setting these servers up in another post.

Internal Relays - Today, however, we’ll go over attacking the target’s own email servers. Many of these are “open” in the sense that you can connect to them, unauthenticated, and have their email server send an email from anyone within the domain (e.g. CFO@e-corp.example) to anyone else within the domain (e.g. accounts.payable@e-corp.example). I call these “internal relays”, but I’m sure someone else has created a more official name for them… maybe something like “Silly Message Transfer Pipe” servers or “SMTP” servers for short.

Recon – Enumerating MX records

You’ve already determined your target’s email schema and you’ve built up a target list by scraping LinkedIn.

Let’s find out where our target’s Mail Exchanges (MX) are. There are many tools that do this, including online tools like MX Lookup. I’m going to use ‘dnsenum’ which comes preinstalled in Kali Linux.

So let’s run ‘dnsenum’ against our target, e-corp.example:

~/$ dnsenum e-corp.example

Under the output header “Mail (MX) Servers:” we see:

mail1.e-corp.example
mail2.e-corp.example

The MX servers use the same domain as our target email domain. This indicates a high likelihood that the servers are on-prem, instead of using cloud providers or email proxies. You may see some of the following email proxies or cloud providers instead:

xxx-xxxxxxxx.xxxx.pphosted.com – Proofpoint
xxxxxx-com.mail.protection.outlook.com – Microsoft Office 365
xx-smtp-inbound-x.mimecast.com – Mimecast
xxxxxx.GOOGLEMAIL.com – Google Email (Enterprise Gmail)

If you do, don’t sweat it. Several of those proxies rely on their customers to set up configurations. As such, many are often open to internal relay misconfigurations as well!

For our purposes here, let’s target that second MX server, mail2.e-corp.example, on the notion that the messaging engineer properly configured the first email server and swore he’d finish the second one the next day but the next day he was distracted by his boss and told to reconfigure AIM to allow for interoffice communication and mail2 got pushed on the LIFO todo list which was quickly buried under an ever growing list of business needs and requirements. So, mail2 looks like a nice target. Let’s connect to it directly and have it send our emails for us.

Sending an Email by Hand

SMTP, or Simple Mail Transfer Protocol, is a simple protocol that transfers mail. When we say simple… we mean simple. It’s an ASCII based protocol which means we just tell it what to do using close-to-English commands. And it does it.

So let’s bust out the leet hacker tool, netcat (nc), and connect to the SMTP server directly. But what port do we use? Can you help me and tell me what port SMTP is on? …. Is it port 80? ….. No!!! That’s HTTP. Is it port 31337? ….. No!!! That’s Back Orifice. …. Did you guess port 25?!?! That’s right! Port 25 is SMTP! Good job! (Swiper, No Swiping!!!)

With that, let’s connect. We’ll use the flag -v to increase the output of netcat. For the purposes of this demonstration, we’ll continue to use the proof of concept servername mail2.e-corp.example (which isn’t real!!!). You’re welcome to use your own target (which I’ll assume you have proper authoriza...)

~/$ nc -v mail2.e-corp.example 25

You should get something along the lines of

mail2.e-corp.example [10.256.20.3] 25 (smtp) open
220 mail2.e-corp.example ESMTP ...

Great! It’s alive… and waiting. So let’s talk to it. Remember, it speaks English. Proper English, not American. So we have to phonetically type out our commands as if they were given in a British accent. Instead of saying “Hello,” we’ll use the Cockney “Ehlo!”

EHLO e-corp.example

The SMTP server will often respond back with a very polite greeting.

250-mail2.e-corp.example Hello [Your actual IP address], pleased to meet you!

Oh shit… you did remember to go through that “No Log” VPN right? RIGHT?!?! Oh… then you’re safe. You can believe them. They don’t ACTUALLY keep logs.

At this point, we can issue some SMTP commands. We can type in HELP to get a list of commands. If we don’t get a list, it’s alright… you can still talk to it. We can use VRFY to verify email accounts. This can be handy if we’re trying to determine valid email schema. Sometimes VRFY will say everything is valid, which may mean that you can send an email from a made up email address (e.g. 1337techsupport@e-corp.example) . Sometimes the functionality will be turned off. Play around with it. Also play around with EXPN.

For us, let’s just dive into sending an email. Let’s send an email from the CFO, Susan Jacobs.

MAIL FROM: sjacobs@e-corp.example

And the server responds…

250 2.1.0 Sender ok

Let’s send an email to an accounts payable clerk. Looking at LinkedIn, we find a “Frank Hamilton, AP/AR” who looks to fit the bill. (Lol. Fits the bill. Bill. Like a bill for dinner. Have to pay for dinner. He’s an accountant. He’ll pay the bill. Fits the bill. Yeah. That was funny.)

RCPT TO: fhamilton@e-corp.example

And the server responds…

250 2.1.0 Recipient ok

You can sometimes use RCTP TO: to validate email addressess! Try a gibberish email (fjdklsdfjal@e-corp.example) if that fails but another email (e.g. fhamilton@e-corp.example) succeeds, you can use this to enumerate valid emails. Tools such as metasploit's auxiliary/scanner/smtp/smtp_enum and nmap's NSE script, smtp-enum-users.nse, automate this for you.

Now that we’ve set this all up, we can send an email!!! We’ll use the SMTP command DATA. After that we can just type out our message, including new lines. We’ll tell the SMTP server that we’re done by putting a period “.” by itself on the last line and pressing enter a final time.

DATA

The server will remind you:

354 Enter mail, end with "." on a line by itself

Hold on a second… Why are we getting these actual, human readable, responses back? These aren’t easily read by email clients. It’s almost as if… and I could be wrong here… It’s almost as if we were meant to send emails by hand. That we were meant to have full conversations with the SMTP servers. That we were meant to develop meaningful relationships with these servers on a deeper level! Why have we allowed our client-server relationships to grow so cold?!?!

Oh well. Now we can send our email. We’ll craft the Subject line here, the to’s and the from’s, we could also do some cc’s and bcc’s. We could specify that we’re sending an HTML email, but by default it’ll just send text. For the sake of this tutorial, we’ll just stick the defaults.

From: Susan Jacobs <sjacobs@e-corp.example>
To: Frank Hamilton <fhamilton@e-corp.example>
Subject: Need this ASAP!

Frank!
 
Sorry to bother you. I’d call, but I’m in a meeting.

I have a lead and want to slip in before our competitors. I need you to send $10K to the following account:

ABA No. XXXXYYYYC
Account No. 987654321
ID No. 123456

We don’t have a lot of time for this, but I’ll fill you in this afternoon! Very excited!

-Susan
.

After we put that period “.” by itself at the end and press enter, the server should respond back with:

250 2.0.0 jo389fd90 Message accepted for delivery

Shit! It worked! Let’s get out of here!

QUIT

221 2.0.0 mail2.e-corp.example Closing connection

Recap

Your entire terminal session might look something like this:

~/$ nc -v mail2.e-corp.example 25
mail2.e-corp.example [10.256.20.3] 25 (smtp) open
220 mail2.e-corp.example ESMTP ...
EHLO e-corp.example
250-mail2.e-corp.example Hello [Your actual IP address], pleased to meet you!
MAIL FROM: sjacobs@e-corp.example
250 2.1.0 Sender ok
RCPT TO: fhamilton@e-corp.example
250 2.1.0 Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: Susan Jacobs <sjacobs@e-corp.example>
To: Frank Hamilton <fhamilton@e-corp.example>
Subject: Need this ASAP!

Frank!
 
Sorry to bother you. I’d call, but I’m in a meeting.

I have a lead and want to slip in before our competitors. I need you to send $10K to the following account:

ABA No. XXXXYYYYC
Account No. 987654321
ID No. 123456

We don’t have a lot of time for this, but I’ll fill you in this afternoon! Very excited!

-Susan
.
250 2.0.0 jo389fd90 Message accepted for delivery
QUIT
221 2.0.0 mail2.e-corp.example Closing connection

That was cool! Thing here is we’re not “spoofing” any email addresses. We’re using the functionality of the email server itself. If the target is using Active Directory and Outlook, the email address of the sender will often be paired with the AD photo of the employee as seen below.

email

Closing Valediction

That’s a nice phish for getting folks to do stuff. Send money, authorize an onsite visit, send a fake resignation letter. You can also send HTML emails that include malicious links or emails that contain malicious attachments. But we won’t do that by hand. A whole lot of “Mime-Version:” this and “Content-Type:” that. Meh. We’ll get a tool to do that for us. We’ll cover those in other posts.

Another thing to consider, this sends one-way emails. You don't get to see any responses back. If someone responds to this email, the actual recipient will get the response and the gig might be up. You can address this by putting in a fake MAIL FROM: (if the server allows it), or you can add a Reply-To: email address in the DATA (under Subject:).

Reply-To: <tinker@t0tallyl3g1t.ru>

This has it's own issues, so I generally don't worry about it. If you need a full conversation, spin up your own malicious email server with your own malicious domain.

Lastly, different SMTP servers react in different ways, but SMTP is SMTP. If a server doesn’t respond back to you, but also doesn’t close out the connection, it might still accept the commands (and just not tell you!). So, go through the whole thing and see if you actually receive the money… I mean… See if your point of contact on this authorized penetration test responds in the affirmative of the positive receipt of this email assessment.

::coughs::

Hack the Planet.