sendmail.html

黑客培训教程

<HTML>

<HEAD>
<META NAME="Author" CONTENT="R a v e N">
<META NAME="HTML Author" CONTENT="Penguin">
<TITLE>The Sendmail Tutorial</TITLE>
<STYLE type=text/css>A:active {
	TEXT-DECORATION: none
}
A:hover {
	COLOR: #999999; TEXT-DECORATION: underline
}
A:link {
	TEXT-DECORATION: none
}
A:visited {
	TEXT-DECORATION: none
}
</STYLE>

</HEAD>
<BODY aLink=#ccff99 bgColor=#000000 leftMargin=20 link=#99ccff text=#cccccc 
topMargin=10 vLink=#ccccff marginwidth="0" marginheight="0">
<center></center>
<br><H2><CENTER>The Sendmail Tutorial / written by yours truly, R a v e n <BR>(<A HREF="http://blacksun.box.sk">blacksun.box.sk</A>)</H2><HR></CENTER>

version 2.1, 22/9/99<BR>
Converted to HTML by <A HREF="mailto:penguin20000@yahoo.com">Penguin</A>

<BR><BR>

Note: whenever you see something like this: blah(1), it means that if you don't understand the meaning of the word blah there's an explanation for it just for you, located at the newbies corner on section 1.

<BR><BR>

<B><U>Author's notes</B></U><BR>
If you have any comments or questions regarding this tutorial (no flames or spam, please) Email me at barakirs@netvision.net.il.<BR>
Visit blacksun.box.sk for more tutorials, free hacking/programming/unix books to download and much more.

<BR><BR>

<B><U>Disclaimer</B></U><BR>
We do not encourage any kinds of illegal activities. If you believe that breaking the law is a good way to impress someone, please stop reading now and grow up. There is nothing impressive or cool in being a criminal.


<OL>
<B><U>Contents</B></U>
<LI>Sendmail? Huh?
<UL>
<LI>What is Sendmail?
<LI>What is it used for?
<LI>Why would I want to learn about Sendmail?
</UL>
How do I create authentically-looking fake mails?
<UL>
<LI>You mean I can send Emails from bgates@microsoft.com or bclinton@whitehouse.org?!
<LI>Is it possible to create a 100% authentical Email?
<LI>How can I learn raw Sendmail commands by myself?
<LI>But what if I'm lazy? Can you pleeease teach me?
<LI>How do I track down carelessly-made fake mails?
<LI>How do I track down more sophisticated fake mails?
<LI>Can I get caught?
<LI>Will I get caught?
</UL>
Hack the server? Through Sendmail?!
<UL>
<LI>Can I really hack a host that runs Sendmail?
<LI>So why is Sendmail called "the buggiest daemon on Earth" anyway?
<LI>Okay, great. Now how do I do it?
<LI>Can you tell me more about various Sendmail security holes?
<LI>Where can I find more Sendmail security holes?
<LI>How can I tell what version of Sendmail the target host is running?
<LI>Why should I care anyway?
<LI>How can I use the BugTraq archives to find the holes I'm looking for?
<LI>Can I get caught?
<LI>Will I get caught?
<LI>Final Notes
</UL>
Okay, so I can hack a host which runs Sendmail. How do I do it?
<UL>
* A Local DoS(29) in All Sendmail Versions Up to 8.9.3
* Bug in Sendmail's HELO command
* Giant Bug in Sendmail 8.8.4
* Final Notes
</UL>
Newbies corner
<UL>
<LI>What is a daemon?
<LI>What is a port?
<LI>What is a service?
<LI>What is a daemon banner?
<LI>What is a timeout (in computer terms)?
<LI>What is TCP and how does it work?
<LI>What is UDP and how does it work?
<LI>What is ICMP and how does it work?
<LI>What is an IP address?
<LI>What is a hostname?
<LI>How to find out what your ISP's mail servers are?
<LI>What is a portscanner?
<LI>What is a services scanner?
<LI>What/who is root?
<LI>What is bandwidth?
<LI>What is a client program?
<LI>What is a DNS server?
<LI>What is Telnet (the Telnet daemon and the Telnet program)
<LI>What is a command interpreter?
<LI>What is a shell account?
<LI>Who is a sysadmin?
<LI>What is hyper text?
<LI>What is an RFC?
<LI>What is InterNIC?
<LI>What is a sub domain (and how much does a domain really cost?)?
<LI>What is SSH?
<LI>What is a moderated mailing list / message board?
<LI>What is a DoS attack?
<LI>What is DUN?
<LI>What is a dial-up account?
<LI>What is a Unix password file?
<LI>What is a thread?
</UL>
Appendix A: Fake Daemons
<UL>
<LI>Fake Sendmail daemon
<LI>Fake Telnet daemon
</UL>
Appendix B: Routing Mail
<UL>
<LI>How can I route my mail?
<LI>How would that help me?
</UL>
Appendix C: Faking the sender's IP
<UL>
<LI>How can I fake my IP on the Email's header?
<LI>Where can I read more about this kind of stuff?
</UL>
Appendix D: Reply-to
<UL>
<LI>What does the Reply-to option do?
<LI>How do I use it?
</UL>
Appendix E: CC and BCC
<UL>
<LI>What do these commands do?
<LI>How do I use them?
</UL>
References
<UL>
<LI>RFC 821
</UL>
Bibliography
<UL>
<LI>Sam Spade's Library
<LI>Various online magazines
<LI>BugTraq's archives
<LI>Packet Storm Security
<LI>Security Focus
<LI>Rootshell
<LI>Hackersclub
</UL>
</OL>

<B><U>Sendmail? Huh?</B></U><BR>
Sendmail is a daemon(1) which waits for connections on port(2) 25. It is used to send outgoing mail.<BR>
For example: your Email provider (probably your ISP (Internet Service Provider)) probably uses two servers (unless it's a web-based mail account such as Hotmail.com):<BR>
1) mail.boring-ISP.net (probably port 110): for incoming mail.<BR>
2) mailgw.boring-ISP.net (port 25): for outgoing mail.<BR>
Most of the time mail servers look pretty much like this, but the addresses vary from different ISPs.<BR>
Mail.boring-ISP.net would require a username and a password so people won't be able to read your Emails, so let's skip this one (I might discuss cracking those passwords in another tutorial, but remember - I'm teaching you these things so you'll be able to know how malicious crackers work and not fall for their tricks, not for you to break the law and harm others). Now, as surprising as it may sound, mailgw.boring-ISP.net will not require a password or any other means of identification. If you telnet(19) into mailgw.boring-ISP.net on port 25 and type in the right commands you will be able to send fake mails. Interesting, huh?<BR>
Now, the coolest part is that you can actually hack a server running Sendmail or at least bring it down, since Sendmail contains a crapload of bugs and security holes.

<BR><BR>

<B><U>How can I create authentically-looking fake mails?</B></U><BR>
As mentioned in the previous chapter, sending mail does not require you to have an account on the machine you're sending the mail from (the mail server, not your computer). All you need to know is the IP Address(9) / Hostname(10) of the mail server and Sendmail commands.<BR>
So far we assume that you know the IP/hostname of your target. If you still don't know this important detail, please find out(11).

<BR><BR>

Now, let's get on with it. This time, unlike previous tutorials, I will "learn" all over again how to do everything I describe here and walk you through the entire process of learning and using what you have learnt.

<BR><BR>

Alright, let's begin.<BR>
Our target outgoing mail server for today is mailgw.someone.com on port 25.<BR>
First, let's telnet into that port by either typing 'telnet mailgw.someone.com 25' (without the quotes) on a standard Unix text-based system, running C:\Windows\telnet.exe or your favorite telnet application and typing in mailgw.someone.com in the host field and 25 in the port field, or executing your favorite telnet application from XWindows (a graphical interface for Unix. If you're smart enough to be running some version of Unix you shouldn't have a hard time finding one. If you don't like the default telnet programs you could always go to www.linuxberg.com and grab one) and typing in the correct details (host and port).<BR>
Note about VT: you might be asked to choose a terminal type during the connection process. Something with VT and some number in it... hmm...<BR>
VT stands for Virtual Terminal. Since there are several types of terminals (all sorts of monitors, old printer terminals etc') you are asked to choose a terminal type (compatibility issues). VT100 should suite most people just fine.<BR>
Note about shell accounts(21): if you're not running Unix and you wish to use Unix tools on Unix systems while you work, telnet to nether.net on port 23, login as newuser and get yourself a free shell account. If you'd rather user Window's tools (I use Window's stuff when I work from Windows, except certain conditions when I really NEED Unix and I don't want to reboot and boot it up. In that case, I get myself a shell account so I am able to use Unix stuff while working from Windows) go ahead (things will work faster since the tools are actually located on your machine, not on some distant computer which runs a shell account), but I still recommend that you will get a shell account at nether.net (in fact they teach you a lot of great Unix-newbies stuff when you sign up).<BR>
Note about Telneting from Macintosh: Macintosh does not come with a Telnet program. However, you can download one from: http://www.ncsa.uiuc.edu/SDG/Software/MacTelnet/ (thanks to little_v for this one!).

<BR><BR>

Now, let's see what we get after we telnet(19) to mailgw.someone.com:25 (in this case, the character : stands for 'on port', so mailgw.someone.com:25 means mailgw.someone.com on port 25).

<BR><BR>

220 alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8 Jul 1999 21:46:04 +0000 (GMT).

<BR><BR>

AHA! This is... this is... ugh... WHAT THE HELL IS THIS THING?!<BR>
This, my friends, is a daemon banner(4), and it just gave us tons of valuable pieces of information!<BR>
Normally, this info is intended for a client program(16) to determine what version of Sendmail the target is running and how to communicate with it (the program should know that, for example, every Sendmail version below 7.0.0 uses the command 'halb' instead of the command 'blah', etc').<BR>
This daemon banner thing is also great for hackers and crackers, since we can determine what version our target is running. Later, when we will discuss about how to actually hack the server, this data would be EXTREMELY valuable.<BR>
Okay, let's analyze what we've got...<BR>
220... we don't know what this is right now...<BR>
alpha.someone.com... no luck, can't make anything out of it so far...<BR>
ESMTP... hmm... SMTP stands for Simple Mail Transfer Protocol. It is the protocol(18) used by email clients to communicate with Sendmail daemons, and this is what we're trying to learn right now. ESMTP is Extended SMTP. It's the same as SMTP, only it contains some more commands. Let's leave this alone for the time being.<BR>
Sendmail 8.9.3/8.8.6 - AHA! There's something interesting. We got the version of the Sendmail daemon! Remember this, it will help us during the next chapter (hacking into servers who run Sendmail).<BR>
The rest is garbage (time, date, etc' etc' etc').<BR>
Okay, so let's move on... umm... how do I communicate with this thing?<BR>
Er... let's try typing 'help' (without the quotes). Oh, by the way, it is normal not to see what you type when you talk to Sendmail since it won't send back your keystrokes. You have to turn on "local echo" in your telnet program in order to see what you type.

<BR><BR>
<PRE>
214-This is Sendmail version 8.9.3
214-Topics:
214-    HELO    EHLO    MAIL    RCPT    DATA
214-    RSET    NOOP    QUIT    HELP    VRFY
214-    EXPN    VERB    ETRN    DSN
214-For more info use "HELP &lt;topic&gt;".
214-To report bugs in the implementation send email to
214-    sendmail-bugs@sendmail.org.
214-For local information send email to Postmaster at your site.
214 End of HELP info
</PRE>

Wee! This is cool!!<BR>
By this time you should have guessed that this number (the 220 in the daemon banner and the 214 here) is actually a 'message type'. It states the type of the message you got. Each type of message (error because of this, error because of that, help page for this, confirmation message for that etc') has it's own number.<BR>
Okay, let's move on. Let's try typing 'help helo'.

<BR><BR>
<PRE>
214-HELO &lt;hostname&gt;
214-    Introduce yourself.
214 End of HELP info
</PRE>

See? I told you so. 214 is the message type number for help messages.<BR>
Okay, so that way you can practically teach yourself what every Sendmail command does. Stop right now, read all the help pages and then continue. It is important that you'll learn how to learn things by yourself. You might see some notes concerning the word RFC(24) and some numbers. You can find RFCs at http://www.linuxberg.com.<BR>
Note about ESMTP: remember that ESMTP thing we came across? You'll be able to get a good clue on what ESMTP is by reading the help pages. Yes, I am trying to force you to read them... so please do. They contain tons of great information for newbies as well as pros.

<BR><BR>

Okay, I'm assuming you've finished reading all those help pages. Now let's move on.<BR>
First we need to enter a sender. We do this by typing 'MAIL FROM: &lt;fake Email address&gt;' (remove the quotes and replace fake Email address with the fake Email address of your choice, say... bgates@microsoft.com (but leave the &lt; and the &gt;)).

<BR><BR>

The mail server should reply with this message:

<BR><BR>

250 bgates@microsoft.com... Sender ok