Shulou(Shulou.com)06/01 Report--

Editor to share with you how to solve the use of python batch scanning SMTP 25 unauthorized access problem, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Batch scanning of unauthorized access to SMTP 25 using python

In the course of testing a system, it is found that many servers have opened ports 25 and 110, but they are not sure whether they are real mail service ports, so I intend to try to reproduce the vulnerability.

SMTP anonymous email

SMTP (Simple Mail Transfer Protocol), simple Mail transfer Protocol is a reliable and effective e-mail transfer protocol.

However, at the beginning of the design, he did not add an authentication mechanism, so that any user can connect to the SMTP server to send mail. Of course, after so many years, there have been SMTP-AUTH extensions to ensure its security.

Due to its huge base, a large number of STMP with no authentication enabled or old versions that do not support SMTP-AUTH are still running in the current network environment, resulting in a large number of spam / fraudulent e-mails still spreading on the Internet, so this article records the learning process.

Vulnerability preparation

In order to ensure that the environment is real and controllable, you'd better build one yourself.

System environment chose kali 2020.1, after all, easy, but also can point to the column name, blood profit.

Now the easiest way to install these service environments is docker.

Sudo systemctl daemon-reloadsudo systemctl restart docker.service / / restart the docker service, otherwise Cannot connect to the Docker may error sudo docker search smtp / / search the image of the smtp service

Just choose the one with the most STARS.

Sudo docker pull namshi/smtp

At this time, if you use a small water pipe in the company with limited conditions, you may find that the download is very slow. At this time, you should cut the domestic sources:

Sudo vi / etc/docker/daemon.json / / create it without content. Don't panic.

Then add the following:

{"registry-mirrors": ["http://hub-mirror.c.163.com"]}"

Restart docker after adding:

Sudo systemctl restart docker.service

Download and take off.

Then open docker:

Sudo docker run-restart=always-d-e "RELAY_NETWORKS=:0.0.0.0/0"-- name smtp-p 25:25 namshi/smtp

Try to connect using telnet or nc (you can use whichever is available in the system)

You can see that 220 is returned, indicating that the connection is successful.

Enter HELP to see the supported instructions

Say hello to the server using EHLO or HELO

You can see that the server returned 250.

Continue to write MAIL FROM:

This is the designated sender:

Then write RCPT TO:

This is the designated recipient:

Then type DATA to start writing content with only one "." To identify the end of the message:

You can see that there is still a queue of messages at the end of 250 OK,id, indicating that the message was added successfully.

You can use QUIT to exit the connection. (lowercase is also fine)

This is a complete connection process.

To sum up:

Use telnet or nc to connect port 25 of the smtp service. If the connection is successful, it returns 220.

Using EHLO xxxx or HELO xxxx, 250 is returned for successful connection.

Use MAIL FROM:

Specify the sender. 250 is returned if the setting is successful.

Use RCPT TO:

Specify the recipient. 250 is returned if the setting is successful.

Use DATA to write the contents of the message to a single line of "." Finally, the successful writing returns 250 and the queue id is returned

Use QUIT to exit the connection

Network actual combat

To get the problematic environment, search in FOFA

"SMTP" & port= "25" & & country= "CN"

You can obtain the IP address of the host that opens the default port in China, and the domestic address is selected for fast connection.

# # starting to try to connect with telnet

Telnet 1xxxxxx7 25

Can connect successfully

Try using the EHLO command to see if supported extensions are returned:

Then, continue with MAIL FROM and RCPT TO

Will find that authentication is needed. Oh ho ho, keep looking at something else.

When you see one that doesn't have an AUTH extension, try to connect:

A set of operations down, robust:

Batch detection

There may be a lot of 25 ports scanned by batch scanning, and it is very troublesome to test one by one, and a method is needed for batch scanning.

There are two problems that need to be solved.

Make sure there are no false positives in NMAP, and the port 25 scanned is indeed a smtp service.

Trying to get whether the smtp service can send email anonymously is based on the fact that it will not return the 553 code.

If you call telnet with python, although subprocess can call telnet directly, it does not correctly return the result of the telnet command when executed (it is too troublesome to handle). So it can only be implemented in python telnetlib's library (directly calling commands in shell can be really weak)

The imported format is currently xx.xx.xx.xx:xx, but it is only written for 25 default ports

Import telnetlibimport timeclass TelnetClient (): def _ _ init__ (self,): self.tn = telnetlib.Telnet () # this function implements the telnet connection to the corresponding server port 25 def login_host (self,host_ip): try: # self.tn = telnetlib.Telnet (host_ip,port=23) self.tn.open (host_ip Port=25) except: print ('% s network connection failed'% host_ip) return False else: time.sleep (5) # read_very_eager () gets all the output try: command_result = self.tn.read_very_ after the last acquisition Eager () .decode ('ascii') except: print ('% s smtp port connection failed'% host_ip) return False else: # waiting for Mail Server ESMTP ready to be returned The message returned indicates that if '220'in command_result: print ('% s smtp login succeeded'% host_ip) self.tn.write ("EHLO localhost\ n") command_result = self.tn.read_very_eager () .decode ('ascii') if Not in command_result and "connection closed" not in command_result: self.tn.write ("MAIL TO:\ n") print ("enter MAIL TO content") command_result = self.tn.read_very_eager () .decode ('ascii') if "553" not in Command_result and "connection closed" not in command_result: self.tn.write ("RCPT TO:\ n") print ("enter MAIL TO content") command_result = self.tn.read_very_eager () .decode ('ascii') if "553 "not in command_result: print (" possible unauthorized issues ") return True else: print ('% s smtp login failed'% host_ip) return False # exit telnet def logout_host (self): Self.tn.write (b "quit\ n") if _ _ name__ = ='_ main__': ip_list = open ("iplist1.txt" 'r') for line in ip_list.readlines (): target=line.split (":", 1) if ": 25" in line: print ("-") print (target [0]) telnet_client = TelnetClient () # if you add True to the login result Execute the command, and then exit if telnet_client.login_host (target [0]): telnet_client.logout_host () print ("- -")

The need to import is a format for ip:port file, because lazy, so only write 25 port, witty as you, certainly can be changed casually.

Extraneous remarks

Testing smtp actually has a corresponding script for nmap, but I didn't see the anonymous mode, so I tried to write it myself. For others, you can refer to these:

The above is all the contents of this article entitled "how to solve the problem of unauthorized access to SMTP 25 by bulk scanning with python". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.