legal contact
 

open mail relay check

Scanning our external IP ranges for mail servers with metasploit comes handy when you need to avoid of being abused by nasty spammers abusing your mailserver for their crapy mailing.

Start the metasploit console

msfconsole

check if the database is connected

msf auxiliary(smtp_relay) > db_status
[*] postgresql connected to msf3

check the existing workspaces

msf auxiliary(smtp_relay) > workspace
* default
20140603
20140624
snmp_1
itdev

and create a new one

msf auxiliary(smtp_relay) > workspace -a 20150731_smtp_relay
[*] Added workspace: 20150731_smtp_relay

start a nmap scan for the mailer port and put the results into the database workspace

msf auxiliary(smtp_relay) > db_nmap -p 25,465,587 -iL /home/mpauli/_pub_ip_ranges.txt
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-31 10:38 BST

PORT STATE SERVICE
[*] Nmap: 25/tcp filtered smtp
[*] Nmap: 465/tcp filtered smtps
[*] Nmap: 587/tcp filtered submission
[*] Nmap: Nmap scan report for xxx.xxx.xxx.xxx
[*] Nmap: Host is up (0.00020s latency).

.....
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 25/tcp filtered smtp
[*] Nmap: 465/tcp filtered smtps
[*] Nmap: 587/tcp filtered submission
[*] Nmap: Nmap done: 3155 IP addresses (2438 hosts up) scanned in 392.52 seconds
msf auxiliary(smtp_relay) >

Activate the smtp-relay module relay 

msf auxiliary(smtp_relay) > use auxiliary/scanner/smtp/smtp_relay

And bind the nmap findings to the module

msf auxiliary(smtp_relay) > services -u -R

Double-check what you configured:

msf auxiliary(smtp_relay) > show options

Module options (auxiliary/scanner/smtp/smtp_relay):

Name Current Setting Required Description
---- --------------- -------- -----------
EXTENDED false yes Do all the 16 extended checks
MAILFROM sender@example.com yes FROM address of the e-mail
MAILTO target@example.com yes TO address of the e-mail
RHOSTS file:/tmp/msf-db-rhosts-20150731-31682-1j8ww3f yes The target address range or CIDR identifier
RPORT 25 yes The target port
THREADS 1 yes The number of concurrent threads

The file variable was actually set by the "-R" parameter of your service serch above.

If you are all satisfied with your doing, run the exploit.

msf auxiliary(smtp_relay) > run

[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx6 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx6 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx5 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx5 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx5 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx6 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[+] xxx.xxx.xxx.xxx:25 - Potential open SMTP relay detected: - MAIL FROM:<sender@example.com> -> RCPT TO:<target@example.com>
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 XX-xxxx.xxxx.xxxx Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 31 Jul 2015 13:42:53 +0100 \x0d\x0a

 

No need to mention that this test should NOT have any result as the red marked above. So, please double-check the reported IP with below command from a machine sourced anywhere else then a company network.

If you see any machines follow the below defined manual test to verify the vulnerability.

SMTP transport example

C: represets what you have to type manually

S: represents what comes back from the mailserver

start with telnet (ip address discovered) (port discovered)


S: 220 smtp.example.com ESMTP Postfix

C: HELO relay.example.org

S: 250 Hello relay.example.org, I am glad to meet you

C: MAIL FROM:<bob@example.org>

S: 250 Ok

C: RCPT TO:<alice@example.com>

S: 250 Ok

C: RCPT TO:<theboss@example.com>

S: 250 OkQUIT

C: DATA

S: 354 End data with <CR><LF>.<CR><LF>

C: From: "Bob Example" <bob@example.org>

C: To: "Alice Example" <alice@example.com>

C: Cc: theboss@example.com

C: Date: Tue, 15 January 2008 16:02:43 -0500

C: Subject: Test message

C:

C: Hello Alice.

C: This is a test message with 5 header fields and 4 lines in the message body.

C: Your friend,

C: Bob

C: .

S: 250 Ok: queued as 12345

C: QUIT

S: 221 Bye

{The server closes the connection}


This (if went through without an error message) will send an email from "bob@example.com" to "alice@example.com" from a Sophos owned mailserver. Without authentication or anything. 

So get in touch with the owner of the IP and tell him to STOP THIS RIGHT NOW.

As this is a security incident, you MUST create a PIR.