|
First:
We are not trying to train Hackers of voilence and
illegality ;) We are just a "project" that tries to teach
you, the readers how Security holes work. The first Tuts
will go around the rootes (read them to understand
everything) further then we'll discuss the more complex
topics. As soon as you see "Word(1/2/3 /....)" you will find
a explenation at the end of the text.
Disclaimer:
These
informations are for legal use only. They are for the
educational use and explain how things work they don't
tell/ask you to do this!! We to take no responsibility for
any illegal activities!
So if you want to learn and don't want illegal activities
you are welcome to read and understand!
Index:
01.-Introduction
02.-Fake Mails?
03.-How to send Fake Mails
04.-More Commands?
05.-How can I see that I get a fake mail?
06.-Hmm how can I see if an email exists?
07.-Send a realistic Fake Mail?
08.-Nice tip i discouvered
09.-Something you should remember and know!
10.-Hacking threw Sendmail?
11.-Where can I find exploits?
12.- How to attach a file to the mail
Sendmail:
~~~~~~~~~
Sendmail is a Daemon(1) that sends mails (in addition
please Pop3 Tutorial that recieves the mails) from it can
actually be defined as the most unsecure Daemon ever! And
more error's and exploits get public! To see whether your
Sendmail Daemon a safety problem connect on Port(2) 25
"telnet domain.de 25" please if it's your Sendmail daemon
and has not been deplaced to a nother port).
Something like:
"Connected to domain.de. Escape character is '^]'.
220 domain.der ESMTP Sendmail 8.9.3/8.9.3; Wed, 4 August
1999 16:23:42
+0200 SMTP is for Simple Mail Transfer Protocol"
should appear. The E between stands for "Extented" these
informations are EXTREME important on the basic the version
(8.9.3) you can find Exploits. (use the addresses at the end
of this article) (to thus always update).
Fake
Mails?:
~~~~~~~~~~
Yeah! It is very very easy basically and you will know
after reading this how to send a Faik Mail. Normal programs
like outloooooooock and stuff do the same..! They just use
following commands! So ofcourse you can use these commands
manually.. just go on reading!
How to
send Fake Mails:
~~~~~~~~~~~~~~~~~~~~~~~
Then over now to Fake Mail. To send a Fake Mail type (while
connected on the smtp server 25)
"helo domain.de" (return)
"mail from: blahhhh@domain.de" (return) then
"rcpt to: then superuser@domain.dex27 (return)
"data" (return) then your contents e.g.:
hahaha you are a looser
(end with a Return and a "." and another Return).
to disconnect you can type "quit".
Commands:
~~~~~~~~~
To still get more informations type "help dsn" or "help".
Like by typing "Help" you will get this:
214-This is Sendmail version 8.9.3
214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214 End of HELP info
You should check all commands and understand them so you
will get more into this...!
How
can I see that I get a fake mail?:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are two ways:
1. (this won't always Work I'll explain why)
If you get a mail from hmm@ahh.net you can try to connect
to ahh.net and see if port 25 is open if not i couldn't
actually be send threw their server right? Another way vrfy
the user(see below: Hmm how can I see if an email exists?:)
2. Well when you recieve a mail you get the header with it
right? right! Well look at it and you will see a line like:
Recieved from: mail.com so if the sender is fake@asd.de net
it's a fake since the real mail would have come from
fake@mail.com so it would say: Recieved from: mail.com
understood? Good... so you might think verry easy so fake
mails are able to be discovered but can I fake them
realistic?
Hmm
how can I see if an email exists?:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Verry easy actually bye reading all the commands ¶;) you
saw this "vrfy" right?! Yeah this command is used when you
send a mail to let us say RCornder@isp.net. You know when
you get this emails blablabla user doesn't exist? Thats it
you client smtp server checked it and found out that the
user you requested doesn't exist ;) So to very do this: vrfy
name@mail-isp.net
Send a
realistic Fake Mail?:
~~~~~~~~~~~~~~~~~~~~
Well you will have to send the mail from the hostnames smtp
server so if you want to let the mail look as if it was send
from hidiho.com you will have to connect to hidihoc.com Port
25 and send the mail from them if its a isp you could even
use their connection. So letz say you want to send a mail
from germany.net you do this:
1) Since it is a isp and you can use call-by-call (don't
have to make a contract they will set the bill on your
telephonebill) dial-up. Like say they the call-by-call
number is 06457-451235 make a connection over there number,
connect to there domain which is germany.net at port 25 helo
germany.net go on writing the mail and you will send a
realistic looking fake. Since whoising the IP will show
germany.net and the recieve line will show germany.net too!
Nice
tip i discouvered:
~~~~~~~~~~~~~~~~
There are firms that have staff mail service. This means if
you send a mail to staff@firm.com all people on firm.com
will get the mail... and you the sender get a copy!!! So I
don't know if this trick works on all server BUT: As I
started playing around with fake mails I had a appreantaship
at a Firm you know this thing from school like "Test the job
you want" for 3 Weeks in a security firm. As they heard and
saw I was starting in that scene they said: "Try to find
something unsecure on our server" and I did! ;) As I thought
I wanted to send a faik mail to all users so I created a
fake mail from: staff@firm.com to staff@firm.com since it
was late and we all left I didn't see what happened but what
I should see next morning was great fun!!! Everybody had
like 10000 Mails in there Inbox ;))) since the mail from
staff@firm.com was send to staff@firm.com all and all over
again a loop was created which didn't stop and went on all
night till the server crashed! So this is verry
theoretically since I didn't try it but my solution is to
delete the function to send the copy of the mail to the
sender...
Something you should remember and know!:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Never forget giving you smtp server a "helo hostname.com"
otherwise you will get a error like
X-Authentication-Warning: ...... didn't use helo this does
definetly mean you have a faik mail! And something you
should know in the line Recieved from: you will see a IP by
whoising it you will get the ISP of user (accept he is using
a proxy or other crap (wingate and such)
Hacking threw Sendmail?:
~~~~~~~~~~~~~~~~~~~
Yeah you can Hack a server threw smtp! To do this you will
have to get the version of the smtp server which you will
find on the daemon banner remember?:
"Connected to domain.de. Escape character is '^]'.
220 domain.der ESMTP Sendmail 8.9.3/8.9.3; Wed, 4 August
1999 16:23:42
+0200 SMTP is for Simple Mail Transfer Protocol"
but you can fake a daemon banner so you will have to do
this to: remeber the help command?
214-This is Sendmail version 8.9.3
214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214 End of HELP info
In the first line you see the version and by sending
yourself an email you get it in the Recieve line!(you
recognize that the Recieve line is my favorite actually
since you retrieve most infos out of it..). Now since you
have the version look for an exploit and hack it! How to use
exploits? Well just search for one and you will get a
explination like I will just show you one:
Sendmail up to recent 8.9.x versions - any user may pass
-bi parameter to /usr/sbin/sendmail. This will result in
aliases database rebuild. IMHO there's no reason to allow
such things, but no matter - something rather stupid is done
during rebuild:
5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6
What a bad luck! There's approx 0.1 sec delay due to
/etc/aliases processing (on my system). Meantime, luser
might deliver any signals to sendmail process... SIGKILL is
quite good. After that, /etc/aliases.db will be left in
unusable state (no EOF marker), causing DoS:
220 Marchew ESMTP Mail Service at nimue.ids.pl ready.
mail from: myself
451 Cannot open hash database /etc/aliases: Invalid
argument
rcpt to: lcamtuf
503 Need MAIL before RCPT
Exploit is trivial.
_______________________________________________________________________
MichalZalewski [lcamtuf@ids.pl] [link / marchew]
[dione.ids.pl
SYSADM] [Marchew Industries] !
[http://lcamtuf.na.export.pl] bash$
:(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=>
[cellular phone:
+48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac
rekursywnie -
boska [P. Deutsch]
I got this from packetstorm.securify.com so if you have a
version just search for
Sendmail version [Versio number] so for 8.8.8 you would to
this
Sendmail version 8.8.8 ok?
Here
some more pages where you'll find Exploits or Bugs:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- http://www.securityfocus.com
- http://www.netspace.org (BugTraq for new bug mail me
(ugw-mail@gmx.de)
- http://www.hackersclub.com
- http://www.sendmail.org
- http://www.securitywriters.org/
How to
attach a file to the mail:
~~~~~~~~~~~~~~~~~~~~~~~
(addition from TCL)
You ever faked an email and wanted to attache a file to it?
like a funny picture or something like that? well, im gonna
teach u how to do it! sending files through emails is
usually done with UUencoding (Unix-to-Unix). it takes a file
and turns it into ASCII (regular characters). Windows users
only need winzip (u got it right? if not download it fron
winzip.com) make a new archive that contains the file that u
want to send then do Shift+U. winzip will create a file
named filename.uue open the file with Notepad and copy
everything. unix users can do: uuencode myfile.txt
myfile.uue after open myfile.uue with pico/vi etc' and copy
everything in it then start faking your email and after u
get to DATA paste the whole thing after u wrote your letter
but before writing the '.'
enjoy! and dont send any viruses!
TCL
Daemon (3): Well just to cut this topic: a service that is
computer automated and takes
Commands to execute them automated
I hope we could you help in this case I (Dead_Beat).
Have fun to try things out.
Credits:
by Deat Beat
Questions or suggestions too ugw-mail@gmx.de
Have Phun Visits us: http://www.undergroundworld.de.vu
|