14

Network Penetration Testing

Penetration Testing IntroPen Testing Process and LawPlanning and Passive ReconPort ScanningPractice QuestionsForged Emails (Lab 4b)Introduction to Basic Exploits (Lab 5)Metasploit Framework (Lab 6)Web Application Technologies/Vulnerabilities (Lab 7)Apache Web Application Configuration (Lab 8a)Web Application Testing (Lab 8b)SQL Injection Testing/Attacks (Lab 9)Password Attacks (Lab 10)Active Recon - Network Scanning, Enumeration and Vulnerability Scanning (Lab 4a)

Forged Emails (Lab 4b)

Last Update Unknown

Question 3: netcat line

We are going to forge an email to ourselves.

Using the normal IP number of localhost, what would be the netcat command needed to netcat to the SMTP port of localhost? This is case-sensitive and space-sensitive. Use only numerical IP and port, and start the answer "netcat".

Question 4: Use the netcat command

Use this netcat command (and use QUIT in the netcat session) to test the connection. The MTA (Mail Transport Agent) server should identify itself with a string "ESMTP MTANAME Version". What is the version of the MTA?

Question 5: Envelope Information

We want to forge an email and make it appear that: (1) The sending server is "juggling.com", (2) the email is coming from "[email protected]", and (3) the email is going to "root@YOURHOST" (where YOURHOST is the hostname you have already discovered for your own virtual machine).

So what are those fields in this case?

Question 6: Forge an email

Use the above information to send an email. Open the connection with netcat as above, use all the header data as the previous question, then in the data body section send the block.

After the body remember to end the block with ".", then end the session with "quit".

In Kali, mail for "root" actually goes to a user called "kali". To read the mail for "mail", do:

su kali -c mail

To delete mail, do "d 1" where "1" is the number of the mail to delete. Do "1" to read email number 1. Do "h" to see the emails which can be written. Press "q" to actually delete email "It does not get deleted till you q out of mail".

Note: make sure that their is only 1 email in the mailbox and that the one which is there is the one you are forging. Remember to "q" out of mail.

Question 7: Hidden Path

Run the command:

grep -A 5 "Received:" /var/spool/mail/kali

This gives the line with the "Received:" on it, as well as the next 2 lines. This shows the mail path. Here it is clear that "juggling.com" would have an IP number, but the IP number in the path (on line 1 in the square brackets) is the IP of localhost and not of juggling.com. Thus it is forged. In linux the dig command will give you the IP.

Validate this by entering the IP number of juggling.com

Question 8: Better Forgery

Repeat the forged email exercise, but this time include one fake hop at the head of the data section. Use the grep information to make the hop identical to the one created when you sent the first email, except this time replace 127.0.0.1 with the juggling.com IP and replace the hostname "localhost" with "email.juggling.com". MAKE SURE THAT ALL OTHER EMAIL HAVE BEEN DELETED from root's mailbox.

So if the header was:

Received: from localhost ([::1] helo=juggling.com)

by host-19-17.linuxzoo.net with smtp (Exim 4.80)

(envelope-from <[email protected]>)

id 1WIgrz-00021U-Ge

for [email protected]; Wed, 26 Feb 2014 15:58:09 +0000

Then you would use this whole entry, but replace [::1] with [fakeIP] (i.e. the ip of the real juggling.com) and "from localhost" with "email.juggling.com".