The Sendmail Tutorial / written by yours truly, R a v e N (blacksun.box.sk) <============================================================================> version 2.5, 10/6/2000 Note: whenever you see something like this: blah(1), it means that if you don't understand the meaning of the word blah there's an explanation for it just for you, located at the newbies corner on section 1. Note 2: if you're having a hard time reading this page because you have to scroll to the right whenever a long line comes, it's probably because you're not using "word wrapping". Most UNIX and Windows text editors do this by themselves. To activate word wrapping on Microsoft Notepad, simply go to Edit and then click on "Word wrapping". Note 3: Although this text file treats the Sendmail daemon, it is mostly applicable to any other SMTP daemon. Author's notes ============== If you have any comments or questions regarding this tutorial (no flames or spam, please) Email me at barakirs@netvision.net.il. Visit blacksun.box.sk for more tutorials, free hacking/programming/unix books to download and much more. Oh, and here's a note before you start reading: Sendmail is one of many SMTP daemons (I'll explain what this means in a second). There are other daemons that are more secure, but I've chosen Sendmail as an example. Anyway, although a certain SMTP daemon may not be vulnerable to some attacks, it can still be used to send fake mail, since this technique is based on the fact that SMTP doesn't have any authentication procedures, and it can't make sure that you own the Email address that your mail appears to be originating from (don't worry if you don't understand, everything will be explained in a second). Disclaimer ========== We do not encourage any kinds of illegal activities. If you believe that breaking the law is a good way to impress someone, please stop reading now and grow up. There is nothing impressive or cool in being a criminal. Contents ======== Sendmail? Huh? * What is Sendmail? * What is it used for? * Why would I want to learn about Sendmail? How do I create authentically-looking fake mails? * You mean I can send Emails from bgates@microsoft.com or bclinton@whitehouse.org?! * Is it possible to create a 100% authentical Email? * How can I learn raw Sendmail commands by myself? * But what if I'm lazy? Can you pleeease teach me? * How do I track down carelessly-made fake mails? * How do I track down more sophisticated fake mails? * Can I get caught? * Will I get caught? Hack the server? Through Sendmail?! * Can I really hack a host that runs Sendmail? * So why is Sendmail called "the buggiest daemon on Earth" anyway? * Okay, great. Now how do I do it? * Can you tell me more about various Sendmail security holes? * Where can I find more Sendmail security holes? * How can I tell what version of Sendmail the target host is running? * Why should I care anyway? * How can I use the BugTraq archives to find the holes I'm looking for? * Can I get caught? * Will I get caught? * Final Notes Okay, so I can hack a host which runs Sendmail. How do I do it? * A Local DoS(29) in All Sendmail Versions Up to 8.9.3 * Bug in Sendmail's HELO command * Giant Bug in Sendmail 8.8.4 * Final Notes Newbies corner * What is a daemon? * What is a port? * What is a service? * What is a daemon banner? * What is a timeout (in computer terms)? * What is TCP and how does it work? * What is UDP and how does it work? * What is ICMP and how does it work? * What is an IP address? * What is a hostname? * How to find out what your ISP's mail servers are? * What is a portscanner? * What is a services scanner? * What/who is root? * What is bandwidth? * What is a client program? * What is a DNS server? * What is Telnet (the Telnet daemon and the Telnet program) * What is a command interpreter? * What is a shell account? * Who is a sysadmin? * What is hyper text? * What is an RFC? * What is InterNIC? * What is a sub domain (and how much does a domain really cost?)? * What is SSH? * What is a moderated mailing list / message board? * What is a DoS attack? * What is DUN? * What is a dial-up account? * What is a Unix password file? * What is a thread? Appendix A: Fake Daemons * Fake Sendmail daemon * Fake Telnet daemon Appendix B: Routing Mail * How can I route my mail? * How would that help me? Appendix C: Faking the sender's IP * How can I fake my IP on the Email's header? * Where can I read more about this kind of stuff? Appendix D: Reply-to * What does the Reply-to option do? * How do I use it? Appendix E: CC and BCC * What do these commands do? * How do I use them? Appendix F: Using Named to Create Ever More Authentic-Looking Fake Mails * How can I use named to create even more authentic-looking fake mails? Appendix G: Attachments * How can I send attached files through telnet? Appendix H: From and To * What do you mean by that? * How can I do it? Appendix I: Mail Relaying * What does it mean when I get these errors? * How can I overcome them? References * RFC 821 Bibliography * Sam Spade's Library * Various online magazines * BugTraq's archives * Packet Storm Security * Security Focus * Rootshell * Hackersclub Other tutorials by Black Sun * FTP Hacking. * Overclocking. * Ad and Spam Blocking. * Sendmail. * Phreaking. * Advanced Phreaking. * Phreaking II. * IRC Warfare. * Windows Registry. * Info Gathering. * Proxy/Wingate/SOCKS. * Offline Windows Security. * ICQ Security. * Hardware * Cracking, Part I. Sendmail? Huh? ============== Sendmail is a daemon(1) which waits for connections on port(2) 25. It is used to send outgoing mail. For example: your Email provider (probably your ISP (Internet Service Provider)) probably uses two servers (unless it's a web-based mail account such as Hotmail.com): 1) mail.boring-ISP.net (probably port 110): for incoming mail. 2) mailgw.boring-ISP.net (port 25): for outgoing mail. Most of the time mail servers look pretty much like this, but the addresses vary from different ISPs. Mail.boring-ISP.net would require a username and a password so people won't be able to read your Emails, so let's skip this one (I might discuss cracking those passwords in another tutorial, but remember - I'm teaching you these things so you'll be able to know how malicious crackers work and not fall for their tricks, not for you to break the law and harm others). Now, as surprising as it may sound, mailgw.boring-ISP.net will not require a password or any other means of identification. If you telnet(19) into mailgw.boring-ISP.net on port 25 and type in the right commands you will be able to send fake mails. Interesting, huh? Now, the coolest part is that you can actually hack a server running Sendmail or at least bring it down, since Sendmail contains a crapload of bugs and security holes. How can I create authentically-looking fake mails? ================================================== As mentioned in the previous chapter, sending mail does not require you to have an account on the machine you're sending the mail from (the mail server, not your computer). All you need to know is the IP Address(9) / Hostname(10) of the mail server and Sendmail commands. So far we assume that you know the IP/hostname of your target. If you still don't know this important detail, please find out(11). Now, let's get on with it. This time, unlike previous tutorials, I will "learn" all over again how to do everything I describe here and walk you through the entire process of learning and using what you have learnt. Alright, let's begin. Our target outgoing mail server for today is mailgw.someone.com on port 25. First, let's telnet into that port by either typing 'telnet mailgw.someone.com 25' (without the quotes) on a standard Unix text-based system, running C:\Windows\telnet.exe or your favorite telnet application and typing in mailgw.someone.com in the host field and 25 in the port field, or executing your favorite telnet application from XWindows (a graphical interface for Unix. If you're smart enough to be running some version of Unix you shouldn't have a hard time finding one. If you don't like the default telnet programs you could always go to www.linuxberg.com and grab one) and typing in the correct details (host and port). Note about VT: you might be asked to choose a terminal type during the connection process. Something with VT and some number in it... hmm... VT stands for Virtual Terminal. Since there are several types of terminals (all sorts of monitors, old printer terminals etc') you are asked to choose a terminal type (compatibility issues). VT100 should suite most people just fine. Note about shell accounts(21): if you're not running Unix and you wish to use Unix tools on Unix systems while you work, telnet to nether.net on port 23, login as newuser and get yourself a free shell account. If you'd rather user Window's tools (I use Window's stuff when I work from Windows, except certain conditions when I really NEED Unix and I don't want to reboot and boot it up. In that case, I get myself a shell account so I am able to use Unix stuff while working from Windows) go ahead (things will work faster since the tools are actually located on your machine, not on some distant computer which runs a shell account), but I still recommend that you will get a shell account at nether.net (in fact they teach you a lot of great Unix-newbies stuff when you sign up). Note about Telneting from Macintosh: Macintosh does not come with a Telnet program. However, you can download one from: http://www.ncsa.uiuc.edu/SDG/Software/MacTelnet/ (thanks to little_v for this one!). Now, let's see what we get after we telnet(19) to mailgw.someone.com:25 (in this case, the character : stands for 'on port', so mailgw.someone.com:25 means mailgw.someone.com on port 25). 220 alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8 Jul 1999 21:46:04 +0000 (GMT). AHA! This is... this is... ugh... WHAT THE HELL IS THIS THING?! This, my friends, is a daemon banner(4), and it just gave us tons of valuable pieces of information! Normally, this info is intended for a client program(16) to determine what version of Sendmail the target is running and how to communicate with it (the program should know that, for example, every Sendmail version below 7.0.0 uses the command 'halb' instead of the command 'blah', etc'). This daemon banner thing is also great for hackers and crackers, since we can determine what version our target is running. Later, when we will discuss about how to actually hack the server, this data would be EXTREMELY valuable. Okay, let's analyze what we've got... 220... we don't know what this is right now... alpha.someone.com... no luck, can't make anything out of it so far... ESMTP... hmm... SMTP stands for Simple Mail Transfer Protocol. It is the protocol(18) used by email clients to communicate with Sendmail daemons, and this is what we're trying to learn right now. ESMTP is Extended SMTP. It's the same as SMTP, only it contains some more commands. Let's leave this alone for the time being. Sendmail 8.9.3/8.8.6 - AHA! There's something interesting. We got the version of the Sendmail daemon! Remember this, it will help us during the next chapter (hacking into servers who run Sendmail). The rest is garbage (time, date, etc' etc' etc'). Okay, so let's move on... umm... how do I communicate with this thing? Er... let's try typing 'help' (without the quotes). Oh, by the way, it is normal not to see what you type when you talk to Sendmail since it won't send back your keystrokes. You have to turn on "local echo" in your telnet program in order to see what you type. 214-This is Sendmail version 8.9.3 214-Topics: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB ETRN DSN 214-For more info use "HELP ". 214-To report bugs in the implementation send email to 214- sendmail-bugs@sendmail.org. 214-For local information send email to Postmaster at your site. 214 End of HELP info Wee! This is cool!! By this time you should have guessed that this number (the 220 in the daemon banner and the 214 here) is actually a 'message type'. It states the type of the message you got. Each type of message (error because of this, error because of that, help page for this, confirmation message for that etc') has it's own number. Okay, let's move on. Let's try typing 'help helo'. 214-HELO 214- Introduce yourself. 214 End of HELP info See? I told you so. 214 is the message type number for help messages. Okay, so that way you can practically teach yourself what every Sendmail command does. Stop right now, read all the help pages and then continue. It is important that you'll learn how to learn things by yourself. You might see some notes concerning the word RFC(24) and some numbers. You can find RFCs at http://www.linuxberg.com. Note about ESMTP: remember that ESMTP thing we came across? You'll be able to get a good clue on what ESMTP is by reading the help pages. Yes, I am trying to force you to read them... so please do. They contain tons of great information for newbies as well as pros. Okay, I'm assuming you've finished reading all those help pages. Now let's move on. First we need to enter a sender. We do this by typing 'MAIL FROM: ' (remove the quotes and replace fake Email address with the fake Email address of your choice, say... bgates@microsoft.com (but leave the < and the >)). The mail server should reply with this message: 250 bgates@microsoft.com... Sender ok Next we type 'RCPT TO: '. Replace recipient with the target, say victim@victim.com. We should get 250 victim@victim.com... Recipient ok You can add recipient by simply doing this command several times, only with different recipients. Now, let's move on to the actual message body. Type 'data' to start writing the body of the message. 354 Enter mail, end with "." on a line by itself Now let's type in some stuff... Subject: fake message (note about this line: in this line you get to determine what subject you want to give for your message). Hello. This is a fake Email message. I'm bored. Gimme something to hack!! . Now we get this 250 CAA15313 Message accepted for delivery You must be wondering right now what the heck is that number after the 250. This is called the message ID (or MID). It's just a stupid number, but we'll use them later... don't you worry your pretty head about this. Now, if you were the recepient you would have got a 100% reliably-looking fake mail. OR IS IT? Let's take a look at what the recepient would get... Hmm... welp, looks like an ordinary message to me. At least it does to the ordinary user. Now let's look at the headers. Headers are a couple of lines which come with every Email address. Most of today's Email clients show only the simpler parts of the header (sender, subject, date and time etc'), but right now we need the full header. On Netscape Messanger displaying the full headers is done by going to View ==> Headers ==> All. On Eudora this is done by clicking on the button which displays the "blah blah blah" caption when you put your mouse cursor above it for a second or two. Compuserve automatically displays the full header. On Outlook, right click the message on your inbox, choose properties and choose details. On pine, you should have an option somewhere in the configuration screens that let's you choose what kind of header you want to view (full or briefed). Now let's take a look at the full header, shall we? Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by cmx.netvision.net.il (8.9.3/8.9.3) with ESMTP id CAA15313 for victim@victim.com>; Sat, 10 Jul 1999 02:49:59 +0300 (IDT) From: bgates@microsoft.com Received: from some.hostname.crap.com (some.hostname.crap.com [62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT) Date: Sat, 10 Jul 1999 02:55:46 +0300 (IDT) Message-ID: <199907092355. CAA15313@alpha.someone.com> X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com [62.0.146.225] didn't use HELO protocol Subject: Fake mail Status: X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 3752da3b000002ff Yeehaw! Look at all those numbers and letters and shiny things! Let's start from the top, shall we? Received: from alpha.someone.com (alpha.someone.com [194.90.1.13]) by cmx.someone.com (8.9.3/8.9.3) with ESMTP id CAA16970 for >; Sat, 10 Jul 1999 02:49:59 +0000 (GMT) Okay, so the mail was received from alpha.someone.com (alpha.someone.com [194.90.1.13]). What does that mean? A quick checkup on InterNIC(25)'s databases (type 'whois alpha.someone.com' without the quotes on a Unix system or download SamSpade for Windows at www.samspade.org) reveals that it is owned by someone.com. This is probably some kind of a sub-server they use to send mail. Let's leave it alone, it's not important to us right now. The (alpha.someone.com [194.90.1.13]) part shows you the hostname(10) and the IP address (9) of the server the Email was sent from. Ooh, ooh, wait! Wasn't the mail supposed to be sent from microsoft.com? I mean, the sender is bgates@microsoft.com! If we did the mail forging thing on microsoft.com instead of on someone.com this wouldn't have happened, now would it? It would have seemed like an ordinary Email... from Bill Gates... well, at least so far. Anyway, the rest is just the MID (which we will get to later) and the date of the message (the sending date) according to the server which the message was sent from. The +0000 (GMT) part means that it was sent from the Greenwich time zone. If it was sent, for example, from the +0200 time zone it would have meant that this time zone's time is actually Greenwich time plus 2 hours. Find our your time zone first so you'll be able to switch time zones and find out when was the message sent in your time. Now, on to more important things. From: bgates@microsoft.com Well, I guess this line is obvious... let's move on. Received: from some.hostname.crap.com (some.hostname.crap.com [62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT) Okay, now this is really interesting. Now we get the sender's hostname and IP address. Note about the hostname: a dial-up(31) user will have a long and twisted hostname. For example: my hostname right now (at least when I was writing these lines) is RAS4-p97.hfa.netvision.net.il. Netvision.net.il is my ISP, and the rest is mostly crap (pay close attention to the hfa thing. Hfa stands for Haifa, which is my home town. It means that I'm connected through Netvision's Haifa server. See? Hostnames can be interesting). You must have noticed by now that the hostname we got is certainly not from microsoft.com, and that the mail server who sent this isn't exactly microsoft.com or a microsoft sub-domain(26) either, which clearly shows that this Email is completely fake. Another note about the hostname: sometimes you might not get a hostname, but you will always get an IP address. You can find the IP's hostname (most IP addresses do have a hostname) by doing 'nslookup ip-address' without the quotes on a Unix system or going to http://www.samspade.org and using their DNS(17) Lookup Tool. If you still can't get it, try doing a whois. To overcome this problem, you need to do two things: 1) Send this mail from Microsoft's Sendmail server. 2) Send this mail from an account that is connected to the web through Microsoft. If you can't get one, it will clearly show in the headers that the mail wasn't sent from Microsoft. Note: nice trick to pull on someone: if your ISP is blah.com, you can send your friends an Email from admin@blah.com which will look 100% authentic! Anyway, the next few characters give us the MID (Message ID), as well as other pieces of info. I promised we'll get to the MID, didn't I? If you think someone is trying to trick you into thinking he's somebody else, send an Email to abuse@your.ISP.com or abuse@the.ISP.where.the.message.came.from.com (in this case Microsoft.com) or abuse@the.server.who.stores.the.MID.com. To know which server stores the MID, we'll need to skip a few lines (two lines actually - time and date) and get straight to this: Message-ID: <199907092355. CAA15313@alpha.someone.com> Aha! Look at these interesting numbers! And check this out: CAA15313@alpha.someone.com! This means all the info regarding the MID is stored at alpha.someone.com! Let's send an Email to abuse@alpha.someone.com and tell them that we think we received a fake mail, and include the entire header. Next thing we'll do the same with the ISP of the sender (in our case, the sender is some.hostname.crap.com [62.0.146.225], meaning his ISP is probably crap.com). Now, on to the next line: X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com [62.0.146.225] didn't use HELO protocol Damn! I knew we forgot something! Now let's do it all over again, but this time we'll type HELO microsoft.com at the beginning. HELO microsoft.com We get this: 250 mailgw1.netvision.net.il Hello some.hostname.crap.com [62.0.146.225], pleased to meet you The rest is exactly like in the last time (sender, rcpt to, etc' etc'). Now let's see what victim@victim.com would have gotten. Aha! No X-Authen