|
Welcome to yet another Hacking Truths manual. Although this
manual comes after a long break, it is really nice to get
back to writing for HT. Anyway, in the past, we have had a
number of explanations on how to send forged emails, how to
play with the Sendmail daemon, email headers and everything
else to do with SMTP (Simple Mail Transfer Protocol) and
emails. Although this manual too throws light on related
matter, it is however more focused on advanced tips and
tricks and other uncommon but extremely useful pieces of
information.
Now, we have already learnt how one can, telnet to Port 25
of a mail server and send an email (even a forged email) by
simply typing out some SMTP commands. However, for the
benefit of beginners and to refresh the memory of
experienced but forgetful people, we would quickly be going
through the process. I promise to make it as short as
possible, at the same time easy to understand.
Port 25 is the Sendmail Port where the SMTP daemon runs.
This daemon is infact the daemon handling all the outgoing
mails. All email clients send mail by connecting to Port 25
of the mail server and issuing SMTP commands. This process
is automated and occurs in the background.
However, one could also manually connect (telnet) to Port
25 of a mail server and manually type out the SMTP commands
in order to send emails. So the basic outline of the entire
process as below. For details regarding the usage of
individual commands, simply type the word ‘help’ followed by
the command at the Sendmail prompt.
Note:The below sends a mail from ankit@bol.net.in to
namitas@bol.net.in by issuing SMTP commands to the mail
server: mail.isp.com Responses from the mail sever have a
number preceding them while the commands typed by the user
do not have any number preceding.
C:\windows>telnet mail.isp.com
220 mail.isp.com ESMTP Sendmail 8.9.1
(1.1.20.3/07Jul00-0916AM) Thu, 7 Dec 2000 17:18:50 +0530
(IST)
helo ankit.com
250-mail.isp.com Hello [203.xx.yyy.91], pleased to meet you
mail from: ankit@bol.net.in
250 ankit@bol.net.in... Sender ok
rcpt to: namitas@bol.net.in
250 namitas@bol.net.in... Recipient ok
data
354 Enter mail, end with "." on a line by itself
This is the part where the body of the message is typed in.
.
250 RAA0000001693 Message accepted for delivery
The headers of the above email as seen by the recipient is
as follows:
Return-Path: <ankit@bol.net.in>
Received: from ankit.com by mail.isp.com
(8.9.1/1.1.20.3/07Jul00-0916AM)
id RAA0000001693; Thu, 7 Dec 2000 17:19:49 +0530 (IST)
Date: Thu, 7 Dec 2000 17:19:49 +0530 (IST)
From: Ankit Fadia <ankit@bol.net.in>
Message-Id: <200012071149.RAA0000001693@mail.isp.com>
X-UIDL: 920156a3b926c5193036933e6d04efd5
This is the part where the body of the message is typed in.
Anyway, now that we have recalled the basic outline of the
process of manually sending an email, let us move on with
the main subject of this manual.
The Subject Field Un-subjected
Now, ever since I released the manual on sending forged
emails (Sending emails using SMTP commands) I have received
a number of emails asking me questions like: “How to Specify
the Subject of an email sent manually by connecting to Port
25 of a system”. Or “How to Specify CC and BCC recipients
when doing the same?” Well, in this section we discuss just
that.
Firstly, let us learn how to specify the subject of an
email engineered manually by SMTP commands. Well, the
process of specifying the Subject remains pretty much
similar to the normal process of sending emails manually.
Actually all the commands remain the same until we reach the
‘data’ command. After we issue the ‘data’ command, the
remote mail server will reply with the below message:
354 Enter mail, end with "." on a line by itself
This server response means that we can start typing the
body of our message now. However, it also indirectly
specifies that this is the time that we type in the Subject
of the email. We can specify the subject of the email as
follows:
Subject: Hi
Where ‘subject:’ is the keyword, which tells the mail
server that you are ready to type in your subject and ‘Hi’,
is the subject of your choice. You can continue with the
body of the email by pressing the ‘Enter’ key and typing in
the characters. The end with the: ‘ . ‘(Period) and
everything else remains the same.
Let us go though the entire process, step by step. Please
note that I have inserted comments wherever necessary within
brackets. Both the brackets and the characters within the
brackets are not a part of the actual commands.
For this example, we need to keep the following pieces of
information in mind:
Mail Server: mail.isp.com
Recipient’s Email Address: namitas@bol.net.in
Sender’s Email Address: ankit@bol.net.in
Subject: Hi!!!
Body: This is a test message
C:\windows>telnet mail.isp.com
220 mail.isp.com ESMTP Sendmail 8.9.1
(1.1.20.3/07Jul00-0916AM) Thu, 7 Dec 2000 17:18:50 +0530
(IST)
helo ankit.com
250-mail.isp.com Hello [203.xx.yyy.91], pleased to meet you
mail from: ankit@bol.net.in
250 ankit@bol.net.in... Sender ok
rcpt to: namitas@bol.net.in
250 namitas@bol.net.in... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject: Hi!!!
This is a test message
.
250 RAA0000001693 Message accepted for delivery
Now if you examine the headers of this email, you will find
that they unlike the headers that we viewed earlier in the
manual will have a separate Subject line.
Return-Path: <ankit@bol.net.in>
Received: from ankit.com by mail.isp.com
(8.9.1/1.1.20.3/07Jul00-0916AM)
id RAA0000001693; Thu, 7 Dec 2000 17:19:49 +0530 (IST)
Date: Thu, 7 Dec 2000 17:19:49 +0530 (IST)
From: Ankit Fadia <ankit@bol.net.in>
Message-Id: <200012071149.RAA0000001693@mail.isp.com>
Subject: Hi!!!!
X-UIDL: 920156a3b926c5193036933e6d04efd5
This is a test message
CC’s and BCC’s
What are the SMTP commands equivalent to the BCC and CC
fields of your email client? Well, this question has only
one simply answer: none. The following few lines will tell
us why.
To understand the answer to the above question, let us
first understand how exactly does an email client handle a
CC or a BCC. How does it do what we are supposed to do with
the CC and BCC features?
Now, when you hit the Send button, then your email client
connects to Port 25 of the mail server that you specified
during the configuration time. Then it will issue SMTP
commands to the remote mail server and send it the required
information. And in this process your email is sent. The
order in which the various SMTP commands are given is same
as described earlier.
Normally, when you have only a single recipient, then your
email client issues only a single ‘RCPT TO:’ command, to the
mail server. However, when there is more than a single
recipient, then the email client issues multiple instances
of ‘RCPT TO:’ Or in other words, when the CC field of your
email client is not empty then multiple RCPT commands are
issued.
You see the Simple Mail Transfer Protocol does not provide
any special command for CC’ing an email to someone. The
entire concept of CC relies on the issue of multiple RCPT
commands to the mail server. The same is the case when you
have multiple recipients in the ‘To:’ field of the email
client. So basically this means that it really doesn’t
matter whether you add a recipient’s email address to the CC
field or to the ‘To:’ field. The SMTP command issued and the
headers created will remain the same.
Let us take a practical example to make it clearer. The
recipients’ list for this example is as follows:
To: ankit@bol.net.in; ankitfadia@hotmail.com
CC: ankit_Fadia@hotmail.com ; namitas@bol.net.in
In this case, the following are the commands, which will
send a blank email with the subject ‘test’ from the email
address:
test@bol.net.in to the above list of recipients.
C:\windows>telnet mail.isp.com
220 mail.isp.com ESMTP Sendmail 8.9.1
(1.1.20.3/07Jul00-0916AM) Thu, 7 Dec 2000 17:18:50 +0530
(IST)
helo ankit.com
250-mail.isp.com Hello [203.xx.yyy.91], pleased to meet you
mail from: test@bol.net.in
250 test@bol.net.in... Sender ok
rcpt to: ankit@bol.net.in
250 ankit@bol.net.in... Recipient ok
rcpt to: ankitfadia@hotmail.com
250 ankitfadia@hotmail.com... Recipient ok
rcpt to: ankit_fadia@hotmail.com
250 ankit_Fadia@hotmail.com... Recipient ok
rcpt to: namitas@bol.net.in
250 namitas@bol.net.in... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject: Test
.
250 RAA0000001693 Message accepted for delivery
Get it? Now, let us move on to as to how BCC works.
Now, in the above case i.e. in the case of CC, the email
client used multiple RCPT’s in the same SMTP session to send
the same email to multiple recipients. However, in such a
case the email any recipient can view the email addresses of
all the recipients. The reason behind this privacy invasion
is the fact that a single email sent to either a single or
multiple recipients has to have the same exact email
headers. This means that all recipients in the ‘CC’ and ‘To’
fields of the same email have to have the same email
headers. This is due to the fact that the email addresses of
all the recipients were given to the mail server during the
same SMTP session. All this may sound quite vague and weird.
If that is the case, then read the following paragraphs to
understand better.
Now, when you CC a single email to multiple recipients (Say
3) then the following procedure takes place:
Email Client Starts Session at remote mail server.
It introduces itself and the sender.
It uses multiple RCPT commands to send the same email to
multiple recipients.
The email client disconnects.
As the email addresses of all the recipients are mentioned
in the same session at the remote mail server, they
constitute the same email headers. Thus all the recipients
are able to view the email addresses to which this email was
sent.
Now, in a situation, when we BCC the same email to multiple
recipients (Say 2) then the following procedure takes place:
Email Client Starts Session at remote mail server.
It introduces itself and the sender.
It uses a single RCPT commands to send the same email to
the first email address in the BCC list.
The email client disconnects.
It again starts a new session at the remote server.
It again introduces itself and the sender.
It uses a single RCPT commands to send the same email to
the second email address in the BCC list.
The email client disconnects, once again.
In this case, each recipient was sent an email through a
unique session at the remote mail server, thus each
recipient received unique email headers and the identity of
none of the other recipients in the BCC list was not given
away.
The above description of the usage of CC and BCC is based
on how Outlook Express works. However, actually Sendmail
does provide a manner in which the CC recipients can be
specified. After giving the DATA command, one can give the
CC list by giving the following command:
CC:Recipient List
However, giving the BCC command instead of CC does not
produce the desired result.
Sending Attachments through Sendmail
Today, MIME attachments are used to transfer files attached
to an email. MIME attachments use Base64 encoding to encode
the binary data. Earlier another encoding standard was used,
which was called the Uuencode encoding standard. You can
send attachments through Sendmail using any of the above
methods.
UU-encoding or Unix-to-Unix encoding is an encoding
standard, which converts all kinds of files into ASCII for
safe transmission over Networks. Files, which are to be sent
over networks, are encoded at the sender’s end and decoded
at the receiver’s end. This ensures that files (attachments)
can be transferred over different kinds of networks, systems
routers etc without any loss. However, this method turned
out be corruption prone and is thus not the most preferred
one.
According to a University, the basic mechanism of
UU-encoding is as follows:
The basic scheme is to break groups of 3 eight-bit
characters (24 bits) into 4 six-bit characters and then add
32 (a space) to each six-bit character, which maps it into
the readily transmittable character. Another way of phrasing
this is to say that the encoded 6 bit characters are mapped
into the set: `!"#$%&'()*+,-./012356789:;<=>?@ABC...XYZ[\]^_
for transmission over communications lines.
Such encoding increases the file size by about 42%. So, the
mechanism of UU-encoding can be concluded as follows:
File is Uuencoded at sender’s end --------------------->
File is Uudecoded at the receiver’s end.
All attachments too can be sent over networks in uuencoded
form.
You see if you enter the uuencoded code of any file after
you have issued the DATA command at the Sendmail prompt,
then the recipient will be able to receive the attachment
and view it too. Almost all email clients allow Uudecoding.
(Even if the email client used by the recipient does not
allow Uudecoding then are several utilities, which do it for
you.) All files including images, audio files, video files,
text files etc can be encoded by the Uuencoding standard to
obtain the uuencoded code.
The method by which attachments in the form of their
uuencoded form can be sent as attachments is a 2-step
process-:
Converting the file to be sent as an attachment into
uuencoded form.
Given the uuencoded form to the mail server after the DATA
command.
Let, us first tackle the first step:
If you are using a Windows platform, then all you need to
perform Uuencoding is WinZip. If you do not already have
WinZip, then you could get it from: http://www.winzip.com/
WinZip can easily be used for obtaining the Uuencode of any
file. Simply create a new archive containing the file you
want to Uuencode and select Action > Uuencode. You could
also simply press Shift + U.
WinZip will save the Uuencode form of the .zip file in the
form: filename.uue
A typical .uue file (In this case of an image file) would
be as follows:
_=_
_=_ Part 001 of 001 of file new.zip
_=_
begin 666 new.zip
M4$L#!!0``@`(`#5S_RCDJL7+;P```'4````'````;F5W+F=I9G/W=+.P3)1G
MX&%8R``"_T$`Q%#\R<+(P,#(H`/B@.0=F-QZ\INZ%.\\$DX(:]"N_76TM7"V
M:6]\T+)755;)-P(C;UB]*)FR+OSYCGV';_HI7<P)::DQ$Y_Y[%*(UX1`H4U;
M3Z55KVB;<EV#@<$:`%!+`0(4`!0``@`(`#5S_RCDJL7+;P```'4````'````
K````````(`"V@0````!N97<N9VEF4$L%!@`````!``$`-0```)0`````````
`
end
The first few lines are only comments added by WinZip and
are not actually a part of the Uuencoded code. So, simply
eliminate everything above the following line:
begin 666 new.zip
This gives you the Uuencode code of the file you want to
transmit as an attachment using Sendmail.
********************
HACKING TRUTH:If you are on a Unix platform then getting
the Uuencode of a file becomes extremely easy. Simply go to
the Unix shell so you can use uuencode on the file you're
trying to send. For purposes of this example, let's presume
the file you're trying to send is called "myfile.doc".
At the Unix shell prompt, type the command:
uuencode myfile.doc myfile.doc > tempfile.uu
This tells the uuencode command to encode the file
"myfile.doc" and store the name "myfile.doc" in the
resulting encoded file. The results are then redirected (by
the > sign) into another file that you'll place into your
mail message later.
DOS versions of this utility are also easily available at
various download sites.
********************
Now, once you have encoded the file and obtained the
Uuencoded form, then all you need to do is Copy it and Paste
it after the DATA command has been issued at the Sendmail
prompt. This will send the file as an attachment.
This was the method in which one can send attachment using
the Uuencoding standard. I will describe how to send
attachments using the new MIME standard in the later version
of this manual.
More Sendmail Tips and Tricks
Normally when you connect to the Sendmail Port of a system,
then you only have standard SMTP commands available to you.
Although they are more than what you will ever need,
however, for those of you who like to play with various
options, there are also some other commands, which are by
default not available to you.
What I am talking about here is ESMTP commands or Extended
Mail Transfer Protocol commands. A mail server with ESMTP
enabled decides whether these ESMTP commands are available
to the client on the basis of how the client introduces
itself to it. Now, normally you introduce yourself by giving
the below command:
HELO domain
Now, when you introduce yourself using the HELO command,
then most mail servers by default make only the SMTP
commands available to the client. Now, in order to make sure
that even the ESMTP commands are available to you, you need
to introduce yourself to the server by the EHLO command. For
Example:
ehlo ankit.com
Now, if the mail server you are connected to, has ESMTP
enabled, then it will respond by giving a list of ESMTP
commands. Something like the below:
220 mail.isp.com ESMTP Sendmail 8.9.1
(1.1.20.3/07Jul00-0916AM) Thu, 7 Dec2000 17:18:50 +0530
(IST)
ehlo ankit.com
250-mail.isp.com Hello [203.xx.yy.91], pleased to meet you
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
********************
HACKING TRUTH: One way of finding out whether your ISP has
ESMTP commands enabled, is to see the daemon banner that
comes up, when you telnet to Port 25 of its mail server. The
word ‘ESMTP’ tells you that such commands are available. For
Example,
220 mail.isp.com ESMTP Sendmail 8.9.1
(1.1.20.3/07Jul00-0916AM) Thu, 7 Dec2000 17:18:50 +0530
(IST)
********************
Credits
ankit@bol.net.in
http://hackingtruths.box.sk/ |