open mail relay check
Scanning our external IP ranges for mail servers with metasploit comes handy when you need to avoid of being abused by nasty spammers abusing your mailserver for their crapy mailing.
Start the metasploit console
msfconsole
check if the database is connected
msf auxiliary(smtp_relay) > db_status
[*] postgresql connected to msf3
check the existing workspaces
msf auxiliary(smtp_relay) > workspace
* default
20140603
20140624
snmp_1
itdev
and create a new one
msf auxiliary(smtp_relay) > workspace -a 20150731_smtp_relay
[*] Added workspace: 20150731_smtp_relay
start a nmap scan for the mailer port and put the results into the database workspace
msf auxiliary(smtp_relay) > db_nmap -p 25,465,587 -iL /home/mpauli/_pub_ip_ranges.txt
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-31 10:38 BST
PORT STATE SERVICE
[*] Nmap: 25/tcp filtered smtp
[*] Nmap: 465/tcp filtered smtps
[*] Nmap: 587/tcp filtered submission
[*] Nmap: Nmap scan report for xxx.xxx.xxx.xxx
[*] Nmap: Host is up (0.00020s latency).
.....
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 25/tcp filtered smtp
[*] Nmap: 465/tcp filtered smtps
[*] Nmap: 587/tcp filtered submission
[*] Nmap: Nmap done: 3155 IP addresses (2438 hosts up) scanned in 392.52 seconds
msf auxiliary(smtp_relay) >
Activate the smtp-relay module relay
msf auxiliary(smtp_relay) > use auxiliary/scanner/smtp/smtp_relay
And bind the nmap findings to the module
msf auxiliary(smtp_relay) > services -u -R
Double-check what you configured:
msf auxiliary(smtp_relay) > show options
Module options (auxiliary/scanner/smtp/smtp_relay):
Name Current Setting Required Description
---- --------------- -------- -----------
EXTENDED false yes Do all the 16 extended checks
MAILFROM sender@example.com yes FROM address of the e-mail
MAILTO target@example.com yes TO address of the e-mail
RHOSTS file:/tmp/msf-db-rhosts-20150731-31682-1j8ww3f yes The target address range or CIDR identifier
RPORT 25 yes The target port
THREADS 1 yes The number of concurrent threads
The file variable was actually set by the "-R" parameter of your service serch above.
If you are all satisfied with your doing, run the exploit.
msf auxiliary(smtp_relay) > run
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx6 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx6 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx5 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx5 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx5 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[*] xxx.xxx.xxx.xxx:25 - No relay detected
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 mx-xxxx6 ESMTP qpsmtpd 0.84 ready; send us your mail, but not your spam.\x0d\x0a
[+] xxx.xxx.xxx.xxx:25 - Potential open SMTP relay detected: - MAIL FROM:<sender@example.com> -> RCPT TO:<target@example.com>
[*] xxx.xxx.xxx.xxx:25 - SMTP 220 XX-xxxx.xxxx.xxxx Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 31 Jul 2015 13:42:53 +0100 \x0d\x0a
No need to mention that this test should NOT have any result as the red marked above. So, please double-check the reported IP with below command from a machine sourced anywhere else then a company network.
If you see any machines follow the below defined manual test to verify the vulnerability.
SMTP transport example
C: represets what you have to type manually
S: represents what comes back from the mailserver
start with telnet (ip address discovered) (port discovered)
S: 220 smtp.example.com ESMTP Postfix
C: HELO relay.example.org
S: 250 Hello relay.example.org, I am glad to meet you
C: MAIL FROM:<bob@example.org>
S: 250 Ok
C: RCPT TO:<alice@example.com>
S: 250 Ok
C: RCPT TO:<theboss@example.com>
S: 250 OkQUIT
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: From: "Bob Example" <bob@example.org>
C: To: "Alice Example" <alice@example.com>
C: Cc: theboss@example.com
C: Date: Tue, 15 January 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 header fields and 4 lines in the message body.
C: Your friend,
C: Bob
C: .
S: 250 Ok: queued as 12345
C: QUIT
S: 221 Bye
{The server closes the connection}
This (if went through without an error message) will send an email from "bob@example.com" to "alice@example.com" from a Sophos owned mailserver. Without authentication or anything.
So get in touch with the owner of the IP and tell him to STOP THIS RIGHT NOW.
As this is a security incident, you MUST create a PIR.