Bypassing Email Protection
Posted by Peter Bassill on 07/08/2021Every now and again, during a pentest, we will find an SMTP device that is deployed on a client site to provide better protection levels. A great example here is the Fortigate email, it is one of the common email gateway appliances encountered.
So what can we do with it?
Well, here is the kicker. 99.999% of the email protection vendors will sell you a basic appliance but for the protection you need to pay more. Crazy right? You thought you were protected. Being able to send email internally from a trusted device on the target network might just end up in the recipients inbox and if there is no impersonation protection running, then you can send from anyone in the business.
Where do we find people in the business? Linkedin, Facebook, Crunch, there are many sources. Of course, once you have an open SMTP connection, you can test the recipients mailbox box validity without sending any emails, but that is for another post later in the month.
How to test STMP servers with telnet
This is very simple indeed. Open your favourate telnet client and make a telnet connection to the available SMTP port on the appliance. For example:
telnet fortigate.hedgehogdemo.com 25
Something similar to the following should now be displayed:
Connected to fortigate.hedgehogdemo.com (184.108.40.206).
Escape character is '^]'.
220 fortigate.hedgehogdemo.com ESMTP Smtpd; Sat, 7 Aug 2021 03:18:07 +0100
The first command we need to issue to the mail server is the EHLO or HELO. This is a basic greeting that starts the communication between the telnet client and the SMTP server.
Something similar to the following should be returned:
250-fotigate.hedgehogdemo Hello alice.umbrella.corp [169.254.14.162], pleased to meet you
This shows the SMTP commands that the SMTP server accepts. Not all SMTP servers support the same sets of commands.
The next command we need to issue is the MAIL FROM command. This determines the address to which bounces are sent. This is not the same as the from header, which is the email address shown in an email client.
MAIL FROM: <email@example.com> 250 2.1.0 MAIL ok
Now that the MAIL FROM command has been sent we can send the RCPT TO command. This command tells the SMTP mail server to who the message should be sent. This can be the same or different than the to header, which is the email address shown in the email client.
RCPT TO: <firstname.lastname@example.org>
250 2.1.5 <email@example.com> ok
The last command to run before starting the body of the message is the DATA command. This command lets the SMTP mail server know that everything else about to be sent is the body of the message (which also contains the headers).
354 send message
You will end up with a sort of interactive shell. Now to send an email to someone on the inside. Using something like the below example has been fruitful in many phishing tests.
EHLO alice.umbrella.corpMAIL FROM: <firstname.lastname@example.org>RCPT TO: <email@example.com>DATAFrom: "The CEO" <firstname.lastname@example.org>To: "Accounts Team" <email@example.com>Subject: Please pay the invoice below asapDate: Sat, 07 Aug 2021 13:11:57 +0100Hi
Please can you pay $7000.00 to Evil Corp on sort code 11-11-11 account number 12345678.
The last period "." is important, this tells the SMTP service that the data stream is ended and to process the mail.