test for SMTP relay

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMplug-discuss@lists.plug.phoenix.az.us at <-
Craig White at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Kevin
Date:  
Subject: test for SMTP relay
On Thu, 2004-02-05 at 09:16, wrote:
> What is the best way to test for smtp authentication, relay etc.
>
> If evolution was set up to connect to @domain.name.com with a pop
> username and password and smtp was setup to connect to the
> @domain.name.com smtp server. Once they were authenticated for pop
> could they then send smtp messages from another program not evolution
> this being a virus of sorts that is now trying to latch on to the
> connnection created with the pop authentication.
>

Jim,
Interesting question. From my cursory look into this, it seems there
are many different methods for implementing POP authentication into SMTP
services. Your answer would probably vary greatly between
implementations. Perhaps that is why we haven't seen this weak form of
authentication exploited en masse as you described. It would be too
unpredictable in the wild.

However, as a penetration testing technique for a specific
implementation it makes for interesting scenario.

It would be simple to test. If you have access to a pop-auth smtp
service, simply telnet to tcp/110 on the POP server and authenticate
with the user/pass commands.

Here is an example session:

bernoulli > telnet pop.EyeEssPea.com 110
Trying 10.10.10.1...
Connected to pop.EyeEssPea.com.
Escape character is '^]'.
+OK Qpopper (version 4.0.5) at pop.EyeEssPea.com starting.

user BigYellowHat
+OK Password required for BigYellowHat

pass i-L1K3-m0nk33z
+OK BigYellowHat has 3 visible messages (0 hidden) in 30946 octets.

----
Leave the authenticated POP session open and go to another terminal
window. Now, telnet to tcp/25 on the smtp server from the second
terminal window and try sending a POP message manually.

Here's an example of that:

bernoulli > telnet smtp.EyeEssPea.com 25
Trying 10.10.10.1...
Connected to smtp.EyeEssPea.com.
Escape character is '^]'.
220 smtp.EyeEssPea.com ESMTP Sendmail 8.12.9/8.12.6; Thu, 5 Feb 2004
08:37:50 -0800 (PST)

helo user1.EyeEssPea.com
250 smtp.EyeEssPea.com Hello user1.EyeEssPea.com [10.10.10.2], pleased
to meet you

mail from:
250 2.1.0 ... Sender ok

rcpt to:
250 2.1.5 ... Recipient ok

data
354 Enter mail, end with "." on a line by itself

SUBJ: I like monkeys
I bought 200 of them.
I took my 200 monkeys home.
I have a big car.
I let one drive
.
250 2.0.0 i15HdiDI023440 Message accepted for delivery

quit
221 2.0.0 smtp.EyeEssPea.com closing connection
Connection closed by foreign host.

bernoulli >
-----


Let us know what you learn. I do not have access to a pop-auth smtp
service to try this myself.

...Kevin






This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-test for SMTP relayscp/sftp umask->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)