sendmail.html

黑客培训教程

<BR><BR>

Next we type 'RCPT TO: &lt;recipient&gt;'. Replace recipient with the target, say victim@victim.com. We should get

<BR><BR>

250 victim@victim.com... Recipient ok

<BR><BR>

You can add recipient by simply doing this command several times, only with different recipients.

<BR><BR>

Now, let's move on to the actual message body. Type 'data' to start writing the body of the message.

<BR><BR>

354 Enter mail, end with "." on a line by itself

<BR><BR>

Now let's type in some stuff...

<BR><BR>

Subject: fake message            (note about this line: in this line you get to determine what subject you want to give for your message).<BR>
Hello. This is a fake Email message.<BR>
I'm bored.<BR>
Gimme something to hack!!<BR>
.

<BR><BR>

Now we get this

<BR><BR>

250 CAA15313 Message accepted for delivery

<BR><BR>

You must be wondering right now what the heck is that number after the 250. This is called the message ID (or MID). It's just a stupid number, but we'll use them later... don't you worry your pretty head about this.

<BR><BR>

Now, if you were the recepient you would have got a 100% reliably-looking fake mail. OR IS IT?

<BR><BR>

Let's take a look at what the recepient would get...<BR>
Hmm... welp, looks like an ordinary message to me. At least it does to the ordinary user.<BR>
Now let's look at the headers.<BR>
Headers are a couple of lines which come with every Email address. Most of today's Email clients show only the simpler parts of the header (sender, subject, date and time etc'), but right now we need the full header.<BR>
On Netscape Messanger displaying the full headers is done by going to View ==&gt; Headers ==&gt; All.<BR>
On Eudora this is done by clicking on the button which displays the "blah blah blah" caption when you put your mouse cursor above it for a second or two.<BR>
Compuserve automatically displays the full header.<BR>
On Outlook, right click the message on your inbox, choose properties and choose details.<BR>
On pine, you should have an option somewhere in the configuration screens that let's you choose what kind of header you want to view (full or briefed).<BR>
Now let's take a look at the full header, shall we?

<BR><BR>

Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by cmx.netvision.net.il (8.9.3/8.9.3) with ESMTP id CAA15313 for victim@victim.com&gt;; Sat, 10 Jul 1999 02:49:59 +0300 (IDT)<BR>
From: bgates@microsoft.com<BR>
Received: from some.hostname.crap.com (some.hostname.crap.com [62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT)<BR>
Date:  Sat, 10 Jul 1999 02:55:46 +0300 (IDT)<BR>
Message-ID: &lt;199907092355. CAA15313@alpha.someone.com&gt;<BR>
X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com [62.0.146.225] didn't use HELO protocol<BR>
Subject: Fake mail<BR>
Status:<BR>
X-Mozilla-Status: 8001<BR>
X-Mozilla-Status2: 00000000<BR>
X-UIDL: 3752da3b000002ff

<BR><BR>

Yeehaw! Look at all those numbers and letters and shiny things!<BR>
Let's start from the top, shall we?

<BR><BR>

Received: from alpha.someone.com (alpha.someone.com [194.90.1.13]) by cmx.someone.com (8.9.3/8.9.3) with ESMTP id CAA16970 for &gt;; Sat, 10 Jul 1999 02:49:59 +0000 (GMT)

<BR><BR>

Okay, so the mail was received from alpha.someone.com (alpha.someone.com [194.90.1.13]). What does that mean?<BR>
A quick checkup on InterNIC(25)'s databases (type 'whois alpha.someone.com' without the quotes on a Unix system or download SamSpade for Windows at www.samspade.org) reveals that it is owned by someone.com. This is probably some kind of a sub-server they use to send mail. Let's leave it alone, it's not important to us right now. The (alpha.someone.com [194.90.1.13]) part shows you the hostname(10) and the IP address (9) of the server the Email was sent from.<BR>
Ooh, ooh, wait! Wasn't the mail supposed to be sent from microsoft.com? I mean, the sender is bgates@microsoft.com!<BR>
If we did the mail forging thing on microsoft.com instead of on someone.com this wouldn't have happened, now would it? It would have seemed like an ordinary Email... from Bill Gates... well, at least so far.<BR>
Anyway, the rest is just the MID (which we will get to later) and the date of the message (the sending date) according to the server which the message was sent from. The +0000 (GMT) part means that it was sent from the Greenwich time zone. If it was sent, for example, from the +0200 time zone it would have meant that this time zone's time is actually Greenwich time plus 2 hours. Find our your time zone first so you'll be able to switch time zones and find out when was the message sent in your time.<BR>
Now, on to more important things.

<BR><BR>

From: bgates@microsoft.com

<BR><BR>

Well, I guess this line is obvious... let's move on.

<BR><BR>

Received: from some.hostname.crap.com (some.hostname.crap.com [62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT)

<BR><BR>

Okay, now this is really interesting. Now we get the sender's hostname and IP address.<BR>
Note about the hostname: a dial-up(31) user will have a long and twisted hostname. For example: my hostname right now (at least when I was writing these lines) is RAS4-p97.hfa.netvision.net.il. Netvision.net.il is my ISP, and the rest is mostly crap (pay close attention to the hfa thing. Hfa stands for Haifa, which is my home town. It means that I'm connected through Netvision's Haifa server. See? Hostnames can be interesting).<BR>
You must have noticed by now that the hostname we got is certainly not from microsoft.com, and that the mail server who sent this isn't exactly microsoft.com or a microsoft sub-domain(26) either, which clearly shows that this Email is completely fake.<BR>
Another note about the hostname: sometimes you might not get a hostname, but you will always get an IP address. You can find the IP's hostname (most IP addresses do have a hostname) by doing 'nslookup ip-address' without the quotes on a Unix system or going to http://www.samspade.org and using their DNS(17) Lookup Tool. If you still can't get it, try doing a whois.<BR>
To overcome this problem, you need to do two things:<BR>
1) Send this mail from Microsoft's Sendmail server.<BR>
2) Send this mail from an account that is connected to the web through Microsoft. If you can't get one, it will clearly show in the headers that the mail wasn't sent from Microsoft.

<BR><BR>

Note: nice trick to pull on someone: if your ISP is blah.com, you can send your friends an Email from admin@blah.com which will look 100% authentic!

<BR><BR>

Anyway, the next few characters give us the MID (Message ID), as well as other pieces of info. I promised we'll get to the MID, didn't I?<BR>
If you think someone is trying to trick you into thinking he's somebody else, send an Email to abuse@your.ISP.com or abuse@the.ISP.where.the.message.came.from.com (in this case Microsoft.com) or abuse@the.server.who.stores.the.MID.com.<BR>
To know which server stores the MID, we'll need to skip a few lines (two lines actually - time and date) and get straight to this:

<BR><BR>

Message-ID: &lt;199907092355. CAA15313@alpha.someone.com&gt;

<BR><BR>

Aha! Look at these interesting numbers! And check this out: CAA15313@alpha.someone.com! This means all the info regarding the MID is stored at alpha.someone.com! Let's send an Email to abuse@alpha.someone.com and tell them that we think we received a fake mail, and include the entire header. Next thing we'll do the same with the ISP of the sender (in our case, the sender is some.hostname.crap.com [62.0.146.225], meaning his ISP is probably crap.com).

<BR><BR>

Now, on to the next line:

<BR><BR>

X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com [62.0.146.225] didn't use HELO protocol

<BR><BR>

Damn! I knew we forgot something! Now let's do it all over again, but this time we'll type HELO microsoft.com at the beginning.

<BR><BR>

HELO microsoft.com

<BR><BR>

We get this:

<BR><BR>

250 mailgw1.netvision.net.il Hello some.hostname.crap.com [62.0.146.225], pleased to meet you

<BR><BR>

The rest is exactly like in the last time (sender, rcpt to, etc' etc'). Now let's see what victim@victim.com would have gotten.

<BR><BR>

Aha! No X-Authentication-Warning!

<BR><BR>

<B><U>Final notes</B></U><BR>
I hope you enjoyed this chapter. Now you've learnt how to play harmless and legal tricks on your friends, how to spike-down fake mails and how easy it is to catch you if you're trying to do illegal stuff.<BR>
Oh, and by the way, there is a way to hide your IP/hostname when faking mail... for more information, read the second section in the 'Okay, so I can hack a host which runs Sendmail. How do I do it?' chapter.

<BR><BR>

<B><U>Hack the server? Through Sendmail?!</B></U><BR>
Yeah, sure, why not? I mean, EVERY service(3) is vulnerable to some attacks. That's why it is recommended to run as less services possible on your computer.<BR>
But the most vulnerable one is Sendmail (this is why it is called 'the buggiest daemon on Earth' or 'the buggiest daemon on the planet'). A member of the mailing list once told me that he just can't wait to read the Sendmail Tutorial (this was before this tutorial has been released) and that he himself runs Sendmail on his computer. Running Sendmail on a personal computer is unnecessary and dangerous. If your computer does not act as a mail server, there is no reason for you to run Sendmail (unless you want people to be able to send mail to your-account@your.IP.address instead of your-account@your.ISP.com. Note about your-account: in the first address, your-account is the name of your username on your own computer (Unix users should know what I am talking about). In the second address, your-account is your username at your ISP).<BR>
Note: the information in this chapter can be either used to hack servers, or the other way around - to protect your server. Please don't break the law, or at least don't spew out my name during the investigations... hehe...

<BR><BR>

Okay, so the first thing we have to do in order to hack a server through a specific service (or to improve the security of a specific server) is it's (the service's) version. This can be easily done by viewing the daemon banner(4). Suppose we came across a computer that runs Sendmail 8.8.3 (which was quite old when this tutorial was written, meaning there should be a couple of bugs here. Sendmail is upgraded mostly when a new bug is found. In fact, everything except of the daemon's security is rarely changed during upgrades).<BR>
Next thing we'll try to determine the OS (Operating System) which this daemon runs on. If Sendmail's banner won't tell us, the Telnet(19) daemon will. First telnet to port 23 and cross your fingers. If there's a daemon on that port, it's probably the Telnet daemon, and it'll probably give you the name and version of the OS. If not, you can either:<BR>
1) Try looking for a guest account (username: guest, password: guest or username: newuser, password: newuser), since some systems give you these details only after you log in.<BR>
2) Email admin@your-target.com and ask him (I recommend opening a mailbox on one of those free mailbox services such as Hotmail and Emailing him from there, since some admins(22) might get a little suspicious...).<BR>
3) Try going to your target's website. This kind of information might be there, somewhere.

<BR><BR>

If you still didn't find the OS, fear not! We might still be able to do a cool hack without this information, but still this information might come in handy, so do all you can to get your hands on it.

<BR><BR>

Next thing, you browse some online databases until you find the hole you've been looking for. First of all I'll explain about the largest and most recommended online databases, and then I'll teach you how to search them, plus some valuable concepts and words you need to get familiar with.

<BR><BR>

<B><U>Packet Storm Security</B></U><BR>
URL: http://packetstorm.securify.com.<BR>
One of the largest online databases for security-related information. I recommend going there once a day and reading the 'New Files Today' section, whether you're looking for specific holes or not.<BR>
The archive was founded by Ken Williams and gets hundreds of thousands of hits per week.<BR>
It has recently been transferred into the ownership of Kroll-O-Nagra (www.securify.com).

<BR><BR>

<B><U>Security Focus</B></U><BR>
URL: http://www.securityfocus.com.<BR>
Another comprehensive database. Updated daily. These guys never sleep!

<BR><BR>

<B><U>BugTraq</B></U><BR>
URL: hosted by Security Focus (http://www.securityfocus.com), previously hosted by Netspace (http://www.netspace.org).<BR>
BugTraq is one of the best security mailing list out there. The list is moderated, meaning that if you find a new security hole, you can only send your message to the moderator, Aleph1 (aleph1@underground.org). Aleph1 filters out all the spam, lame messages and old bugs and posts only the good ones to the list.<BR>
I recommend signing up at http://www.securityfocus.com. You can also search their archive, which is by the way my favorite security-related database, by going to securityfocus.com and looking for a link called 'search'.

<BR><BR>

<B><U>Searching</B></U><BR>
If we are looking for a bug in Sendmail 8.8.3, we'll need to type the following search keywords: 'sendmail 8.8.3' (without the quotes). If we're looking for something specific, such as a local DoS(29) attack against any version of sendmail, we will use the following search keywords: 'local DoS sendmail', etc'.

<BR><BR>

<B><U>Searching Packet Storm</B></U><BR>
Packet Storm should have a search box somewhere (Ken changes the layout every now and then so I can't give you the exact location of the box). You can divide the search results you will get into two categories: texts and programs.<BR>
For example: you searched for a specific hole and you got a couple of text files and a couple of programs. The text files explain about the bugs and how to exploit it, while the programs use the hole to get in.<BR>
These programs are often called 'exploits' and usually come as a source code instead of as a binary file. Let me explain: a binary file is any file that isn't made of text. Executable files are usually binary files. Now, in our case, programs come as sources instead of binary. Sources are in the form of plain text, and they're actually a bunch of commands. When given to a compiler, this source code turns into an executable binary (except for source codes written in the Perl programming language, which can be executed in the form of sources if you have the right program). Anyway, these programs come in the form of sources so you will be able to understand how they work instead of blindly running them.

<BR><BR>

<B><U>Searching Security Focus</B></U><BR>
Security Focus offers more organized information. Instead of various bits of information, Security Focus offers articles. These include exact definitions of the bug, where and when it should happen, work-arounds (how to solve it) etc'. The only backdrop in Security Focus is that it is smaller than other databases.

<BR><BR>

<B><U>BugTraq</B></U><BR>
Ah... my favorite database. When people post something to BugTraq about a security hole they found, other people can reply to them and share their side of the story. For example: did it work on their computer too, how to fix the bug in various ways, what causes the bug in the first place etc'. You can compile a full database with all of the necessary information by simply reading a couple of posts.

<BR><BR>

<B><U>Getting Caught</B></U><BR>
If you're planning on doing something bad, please don't. You can get caught. Better crackers than you already got caught. Don't be stupid.

<BR><BR>

<B><U>Okay, so I can hack a host which runs Sendmail. Now how do I do it?</B></U><BR>
I have made a nice list with several security holes regarding Sendmail just to give you the hang of it.

<BR><BR>

<B><U>A Local DoS(29) in All Sendmail Versions Up to 8.9.3 (taken from Packet Storm)</B></U><BR>
Date: Sat, 3 Apr 1999 00:42:56 +0200<BR>
From: "[iso-8859-2] Micha